[jira] [Commented] (CXF-8940) ws-security.must-understand works only if security.enable.streaming is true

Fri, 06 Oct 2023 14:02:20 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-8940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17772696#comment-17772696
 ] 

Freeman Yue Fang commented on CXF-8940:
---------------------------------------

Hi [~ppalaga],

Thanks for raising this issue!

After the first glance, I don't think this is the problem in CXF. The problem 
should be from quarkus-cxf or the test itself. The root cause that the 
configuration in your test
{code}
...security.must-understand = false
{code}
doesn't work is that the 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor somehow not 
added into the quarkus cxf client 
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand. But 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor should be added 
by default in CXF by 
org.apache.cxf.ws.security.policy.interceptors.WSSecurityInterceptorProvider, 
together with PolicyBasedWSS4JStaxOutInterceptor. We have test case in CXF 
source code 
cxf/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
and I checked there, the 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor in CXF test is 
added and invoked correctly.

The PolicyBasedWSS4JStaxOutInterceptor contains the logic when 
security.enable.streaming is true(Stax API based), while 
PolicyBasedWSS4JOutInterceptor contains the logic when 
security.enable.streaming is false(DOM api based).

If I explicitly add PolicyBasedWSS4JOutInterceptor to your test client, then it 
works, but surely the real fix should be somewhere else.
{code}
--- 
a/integration-tests/ws-security-policy/src/main/resources/application.properties
+++ 
b/integration-tests/ws-security-policy/src/main/resources/application.properties
@@ -94,6 +94,7 @@ 
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.trust-store-password = pas
 quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.username = 
${wss.user}
 
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.callback-handler 
= #usernameTokenPasswordCallback
 quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.must-understand 
= false
+quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.out-interceptors = 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
 quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.features = 
#messageCollector
{code}

Best Regards
Freeman





> ws-security.must-understand works only if security.enable.streaming is true
> ---------------------------------------------------------------------------
>
>                 Key: CXF-8940
>                 URL: https://issues.apache.org/jira/browse/CXF-8940
>             Project: CXF
>          Issue Type: Bug
>            Reporter: Peter Palaga
>            Priority: Major
>
> I am unfortunately not sure at all how to reproduce this with plain CXF. If a 
> test is required to demonstrate the issue, I'd be thankful for pointing me to 
> an existing test I could adapt.
> I am able to reproduce this with quarkus-cxf - here are the steps to 
> reproduce:
> {code}
> git clone g...@github.com:ppalaga/quarkus-cxf.git
> cd quarkus-cxf
> git checkout CXF-8940
> mvnd clean install -DskipTests -Dquarkus.build.skip
> cd integration-tests/ws-security-policy
> mvnd clean test 
> -Dtest=UsernameTokenSecurityPolicyTest#helloUsernameTokenNoMustUnderstand
> ...
> [ERROR]   
> UsernameTokenSecurityPolicyTest>AbstractUsernameTokenSecurityPolicyTest.helloUsernameTokenNoMustUnderstand:180
>  
> Expecting actual:
>   "REQ_OUT
>     Address: https://localhost:8444/services/helloUsernameToken
>     HttpMethod: POST
>     Content-Type: text/xml
>     ExchangeId: 03fe3642-ab5b-4b85-b712-b8ed107f5a71
>     ServiceName: UsernameTokenPolicyHelloService
>     PortName: UsernameTokenPolicyHelloServicePort
>     PortTypeName: UsernameTokenPolicyHelloService
>     Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
>     Payload: <soap:Envelope 
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>   <soap:Header>
>     <wsse:Security 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  soap:mustUnderstand="1">
>       <wsse:UsernameToken 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="UsernameToken-4e64841c-ad35-48fd-b7ee-70e5f978e098">
>         <wsse:Username>cxf-user</wsse:Username>
>         <wsse:Password 
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>secret</wsse:Password>
>         <wsse:Nonce 
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>5rs0Ra3q0FPLXFguajlTwQ==</wsse:Nonce>
>         <wsu:Created>2023-10-05T22:40:54.436Z</wsu:Created>
>       </wsse:UsernameToken>
>     </wsse:Security>
>   </soap:Header>
>   <soap:Body>
>     <ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
>       <arg0>helloUsernameTokenNoMustUnderstand</arg0>
>     </ns2:hello>
>   </soap:Body>
> </soap:Envelope>
> "
> not to contain:
>   "soap:mustUnderstand="1""
> {code}
> Running the same logic with 
> {{quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.enable.streaming
>  = true}} works as expected:
> {code}
> mvnd clean test 
> -Dtest=UsernameTokenSecurityPolicyStaxTest#helloUsernameTokenNoMustUnderstand
> ...
> BUILD SUCCESS
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to