ffang commented on PR #1473: URL: https://github.com/apache/cxf/pull/1473#issuecomment-1772784844
> @ffang Why do we want the policy based interceptors added and what relation does it have to https://issues.apache.org/jira/browse/CXF-8940 ? Hi @coheigea , CXF-8940 complains the issue that property "ws-security.must-understand" can't be honoured when Dom based ws-secuirty API is used, while it's working in Stax based ws-secuirty. After debugging, I realized that this issue only occurs when UsernameToken is used alone but no Security Binding(like HTTPS TransportBinding) in policy file. Actually in PolicyBasedWSS4JOutInterceptor.java we have code like ``` boolean mustUnderstand = MessageUtils.getContextualBoolean( message, SecurityConstants.MUST_UNDERSTAND, true ); String actor = (String)message.getContextualProperty(SecurityConstants.ACTOR); // extract Assertion information AbstractBinding binding = PolicyUtils.getSecurityBinding(aim); if (binding == null && isRequestor(message)) { Policy policy = new Policy(); binding = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11, policy); } if (binding != null) { WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand, saaj.getSOAPPart()); final Element el; try { el = secHeader.insertSecurityHeader(); } catch (WSSecurityException e) { throw new SoapFault( new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender() ); } ``` to honour property "ws-security.must-understand" when using dom based ws-security API, however, this interceptor isn't added OOTB if the policy file only contains UsernameToken but no Security Binding. Take a close look at UsernameTokenInterceptorProvider.java, the PolicyBasedWSS4JStaxOutInterceptor and PolicyBasedWSS4JStaxInInterceptor have been there already, that's why Stax based ws-secuirty can honour property "ws-security.must-understand" when the policy file only contains UsernameToken. And I believe PolicyBasedWSS4JOutInterceptor and PolicyBasedWSS4JInInterceptor should be added there to support DOM based ws-security. Also, I believe we have a similar issue https://issues.apache.org/jira/browse/CXF-2890, and the fix for it is https://github.com/apache/cxf/commit/48b7dce3d977a1630cefb633fe88480ee0746b8f Freeman -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
