Modestas Vainius created CXF-5724:
-------------------------------------
Summary: Extra text and comments after </soapenv:Body> are treated
as part of SOAP body by CXF
Key: CXF-5724
URL: https://issues.apache.org/jira/browse/CXF-5724
Project: CXF
Issue Type: Bug
Components: Soap Binding
Affects Versions: 2.7.11, 2.7.10, 2.7.9
Reporter: Modestas Vainius
Hello,
it appears that since
https://github.com/apache/cxf/commit/eb70d1008b8ffd32c90c990122b08d10ffcda933
extra characters and comments after </soapenv:Body> get "leaked" into CXF view
of SOAP body. This is not a big problem unless SOAP body is signed with WSS
Security. Obviously, then any characters (in particular new lines or
whitespaces) after </soapenv:Body> will cause signature validation to fail due
to checksum mismatch.
This is due to switch from StaxUtils.readDocElements() to StaxUtils.copy(). Now
I'm not sure if StaxUtils.copy() is either buggy or misused there. If called
with *fragment*=false, it would probably extract body as expected but then
again I'm not sure what's the point of *fragment* flag. So, I attach the patch
which fixes the "leak" problem in StaxUtils.copy() when *fragment*=true.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
