ReadHeadersInterceptor reads to much after parsing soap-header and breaks wss
signature
---------------------------------------------------------------------------------------
Key: CXF-1491
URL: https://issues.apache.org/jira/browse/CXF-1491
Project: CXF
Issue Type: Bug
Affects Versions: 2.0.4
Reporter: Marc Giger
Priority: Critical
On line 176 in ReadHeadersInterceptor there is the following code:
/// advance just past body.
//xmlReader.nextTag();
if (message.getVersion().getFault().equals(xmlReader.getName())) {
Endpoint ep = message.getExchange().get(Endpoint.class);
if (!isDecoupled(message)) {
message.getInterceptorChain().abort();
if (ep.getInFaultObserver() != null) {
ep.getInFaultObserver().onMessage(message);
}
} else {
message.getExchange().put("deferred.fault.observer.notification",
Boolean.TRUE);
}
}
xmlReader.nextTag(); reads to much. After the body-element it is possible to
have a text-node which is part of signature-digest when the whole
body is signed. With this statement we skip this text-node and as result the
signature is invalid.
xmlReader.next() solves that problem but the code that follows it stops
working...of course.
Btw: If I understand the code correctly, if the incoming mesage is a soap-fault
the InFaultChain is called. Is ReadHeadersInterceptor the right place to check
for a InFault? What happens when the incoming fault is encrypted? Shouldn't
that be moved to a separate interceptor after a possible WSS4JInterceptor is
called?
Thanks
Marc
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
