Re: Web Services binding failure in Chemistry 0.14 client while passing customized SOAP Security header

Sun, 02 Oct 2016 09:12:39 -0700 

Hi Vyacheslav,

Please open an issue here: https://issues.apache.org/jira/browse/CMIS
I'll look into it.

- Florian


> Hello,
> 
> I have a custom authentication provider that extends 
> org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider.
>  The provider modifies Security header in outgoing SOAP message in order to 
> implement a proprietary authentication. On the server side authentication 
> data is parsed, client is authenticated, request is processed and a new 
> Security header is attached to the reply message. The client extract 
> authentication data from the response and uses it for sequential calls. That 
> worked well in implementations based on Chemistry 0.10 and 0.13. While trying 
> to port to Chemistry 0.14 the code started to fail with 
> java.lang.UnsupportedOperationException. Using debugger I found the cause of 
> the failure:
> 
> 
> 1.       When message is being prepared to be sent Chemistry framework calls 
> a custom authentication provider. The provide prepares Security header and 
> returns it to framework
> 
> 2.       Framework in 
> org.apache.chemistry.opencmis.client.bindings.spi.webservices.CXFPortProvider.
>  createPortObject(...) creates a new header list and adds it to request 
> context at line 120:
> 
> 
> 
> portObject.getRequestContext().put(
> 
>      Header.HEADER_LIST,
> 
>      Collections.singletonList(new Header(new 
> QName(soapHeader.getNamespaceURI(), soapHeader
> 
>             .getLocalName()), soapHeader)));
> 
> 
> 
> 3.       Request is sent to server, server processes it and replies with a 
> message containing another Security header
> 
> 4.       Response is being processed on client by Apache CXF making bunch of 
> calls to interceptors. One of the interceptors, 
> org.apache.cxf.binding.soap.saaj.AAJInInterceptor.replaceHeaders(...), 
> attempts to replaces old headers in context if the response has headers with 
> matching names (line 310):
> 
> 
> 
> Header oldHdr = message.getHeader(
> 
> new QName(elem.getNamespaceURI(), elem.getLocalName()));
> 
> if (oldHdr != null) {
> 
> message.getHeaders().remove(oldHdr);
> 
> }
> 
> message.getHeaders().add(shead);
> 
> 
> The problem is that the header list created by CXFPortProvider in step#2 is 
> read-only, but AAJInInterceptor in step #4 expects it to be read-write.
> 
> Not sure where the fix has to be done, but I would expect that having the 
> same header in the request and response is acceptable.
> 
> Regards,
> 
> Vyacheslav Pascarel
> 
>

Reply via email to