[
https://issues.apache.org/jira/browse/CXF-8940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17772696#comment-17772696
]
Freeman Yue Fang commented on CXF-8940:
---------------------------------------
Hi [~ppalaga],
Thanks for raising this issue!
After the first glance, I don't think this is the problem in CXF. The problem
should be from quarkus-cxf or the test itself. The root cause that the
configuration in your test
{code}
...security.must-understand = false
{code}
doesn't work is that the
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor somehow not
added into the quarkus cxf client
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand. But
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor should be added
by default in CXF by
org.apache.cxf.ws.security.policy.interceptors.WSSecurityInterceptorProvider,
together with PolicyBasedWSS4JStaxOutInterceptor. We have test case in CXF
source code
cxf/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
and I checked there, the
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor in CXF test is
added and invoked correctly.
The PolicyBasedWSS4JStaxOutInterceptor contains the logic when
security.enable.streaming is true(Stax API based), while
PolicyBasedWSS4JOutInterceptor contains the logic when
security.enable.streaming is false(DOM api based).
If I explicitly add PolicyBasedWSS4JOutInterceptor to your test client, then it
works, but surely the real fix should be somewhere else.
{code}
---
a/integration-tests/ws-security-policy/src/main/resources/application.properties
+++
b/integration-tests/ws-security-policy/src/main/resources/application.properties
@@ -94,6 +94,7 @@
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.trust-store-password = pas
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.username =
${wss.user}
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.callback-handler
= #usernameTokenPasswordCallback
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.must-understand
= false
+quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.out-interceptors =
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.features =
#messageCollector
{code}
Best Regards
Freeman
> ws-security.must-understand works only if security.enable.streaming is true
> ---------------------------------------------------------------------------
>
> Key: CXF-8940
> URL: https://issues.apache.org/jira/browse/CXF-8940
> Project: CXF
> Issue Type: Bug
> Reporter: Peter Palaga
> Priority: Major
>
> I am unfortunately not sure at all how to reproduce this with plain CXF. If a
> test is required to demonstrate the issue, I'd be thankful for pointing me to
> an existing test I could adapt.
> I am able to reproduce this with quarkus-cxf - here are the steps to
> reproduce:
> {code}
> git clone [email protected]:ppalaga/quarkus-cxf.git
> cd quarkus-cxf
> git checkout CXF-8940
> mvnd clean install -DskipTests -Dquarkus.build.skip
> cd integration-tests/ws-security-policy
> mvnd clean test
> -Dtest=UsernameTokenSecurityPolicyTest#helloUsernameTokenNoMustUnderstand
> ...
> [ERROR]
> UsernameTokenSecurityPolicyTest>AbstractUsernameTokenSecurityPolicyTest.helloUsernameTokenNoMustUnderstand:180
>
> Expecting actual:
> "REQ_OUT
> Address: https://localhost:8444/services/helloUsernameToken
> HttpMethod: POST
> Content-Type: text/xml
> ExchangeId: 03fe3642-ab5b-4b85-b712-b8ed107f5a71
> ServiceName: UsernameTokenPolicyHelloService
> PortName: UsernameTokenPolicyHelloServicePort
> PortTypeName: UsernameTokenPolicyHelloService
> Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="1">
> <wsse:UsernameToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="UsernameToken-4e64841c-ad35-48fd-b7ee-70e5f978e098">
> <wsse:Username>cxf-user</wsse:Username>
> <wsse:Password
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>secret</wsse:Password>
> <wsse:Nonce
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>5rs0Ra3q0FPLXFguajlTwQ==</wsse:Nonce>
> <wsu:Created>2023-10-05T22:40:54.436Z</wsu:Created>
> </wsse:UsernameToken>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
> <arg0>helloUsernameTokenNoMustUnderstand</arg0>
> </ns2:hello>
> </soap:Body>
> </soap:Envelope>
> "
> not to contain:
> "soap:mustUnderstand="1""
> {code}
> Running the same logic with
> {{quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.enable.streaming
> = true}} works as expected:
> {code}
> mvnd clean test
> -Dtest=UsernameTokenSecurityPolicyStaxTest#helloUsernameTokenNoMustUnderstand
> ...
> BUILD SUCCESS
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
