The below test case will return a SOAP fault with a message about
IndexOutOfBoundsException. All future "good" requests to TFIM will
subsequently also receive the IndexOutOfBoundException instead of the correct
response. I've attached the client log for this scenario.
Can anyone confirm how many HTTP connections are made to the server for
something like this? I'm guessing two, one for retrieving the WSDL and one for
sending the SOAP request.
public class TFIMTest {
@Test
public void testRST() throws Exception {
Bus bus = BusFactory.getDefaultBus();
STSClient client = new STSClient(bus);
client.setWsdlLocation("https://mytfimserver.foo.org:9445/TrustServerWST13/services/RequestSecurityToken?wsdl";);
client.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512}SecurityTokenService";);
client.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityToken";);
client.setRequiresEntropy(false);
client.setFeatures(buildFeatures());
//set user name and password
Map<String, Object> ctx = client.getRequestContext();
ctx.put(SecurityConstants.USERNAME, "scott");
ctx.put(SecurityConstants.PASSWORD, "tiger");
String appliesTo = "http://foo.org/VER/ICM/SAML1.1";;
String action = null;
String requestType = "/Issue";
SecurityToken target = null;
try {
client.requestSecurityToken(appliesTo, action, requestType, target);
Assert.fail("TFIM should have thrown a fatal error");
} catch(SoapFault ex) {
Assert.assertEquals("java.lang.IndexOutOfBoundsException: Index: 0,
Size: 0", ex.getMessage());
}
}
private List<AbstractFeature> buildFeatures() {
List<AbstractFeature> result = new LinkedList<AbstractFeature>();
result.add(new WSAddressingFeature());
result.add(new WSPolicyFeature());
return result;
}
}
Brandon
-----Original Message-----
From: Dennis Sosnoski [mailto:[email protected]]
Sent: Thursday, April 22, 2010 8:46 PM
To: [email protected]
Subject: Re: CXF takes down IBM TFIM
Any information available from the crash might help isolate the problem.
But if this is repeatable it represents a major security issue for TFIM,
since it shows an easy denial-of-service attack.
- Dennis
Brandon Richins wrote:
> When I send a RST to IBM TFIM, my STS, I crash it to the point where it has
> to be rebooted. If I send the same request (captured) via SoapUI or TCPMon,
> it doesn't crash it.
>
> I was wondering what kind of connection parameters are added to http(s)
> connections, specifically when communicating with an STS. I saw Dan's recent
> post indicating that CXF uses Java's HttpConnection and not Apache
> commons-http component. I even created a simple java client that matched the
> headers from CXF 100% but I still can't replicate taking it down. I have
> looked at the HttpConduit and didn't see anything out of the ordinary that
> could cause this. Any ideas as I try to develop a test case or debug this?
>
> I tried to look at increasing the log level but
> http://cxf.apache.org/docs/debugging-and-logging.html seems to be missing the
> example content and the linked config
> (http://cwiki.apache.org/CXF20DOC/configuration.html) returns a 404. Any
> tips here would be great too.
>
> Thanks in advance,
>
> Brandon
>
>
>
