[jira] [Updated] (CXF-8940) ws-security.must-understand works only if security.enable.streaming is true

[Andriy Redko (Jira)]

     [ 
https://issues.apache.org/jira/browse/CXF-8940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andriy Redko updated CXF-8940:
------------------------------
    Fix Version/s: 3.5.8

> ws-security.must-understand works only if security.enable.streaming is true
> ---------------------------------------------------------------------------
>
>                 Key: CXF-8940
>                 URL: https://issues.apache.org/jira/browse/CXF-8940
>             Project: CXF
>          Issue Type: Bug
>            Reporter: Peter Palaga
>            Assignee: Freeman Yue Fang
>            Priority: Major
>             Fix For: 3.5.8, 3.6.3, 4.0.4
>
>
> I am unfortunately not sure at all how to reproduce this with plain CXF. If a 
> test is required to demonstrate the issue, I'd be thankful for pointing me to 
> an existing test I could adapt.
> I am able to reproduce this with quarkus-cxf - here are the steps to 
> reproduce:
> {code}
> git clone g...@github.com:ppalaga/quarkus-cxf.git
> cd quarkus-cxf
> git checkout CXF-8940
> mvnd clean install -DskipTests -Dquarkus.build.skip
> cd integration-tests/ws-security-policy
> mvnd clean test 
> -Dtest=UsernameTokenSecurityPolicyTest#helloUsernameTokenNoMustUnderstand
> ...
> [ERROR]   
> UsernameTokenSecurityPolicyTest>AbstractUsernameTokenSecurityPolicyTest.helloUsernameTokenNoMustUnderstand:180
>  
> Expecting actual:
>   "REQ_OUT
>     Address: https://localhost:8444/services/helloUsernameToken
>     HttpMethod: POST
>     Content-Type: text/xml
>     ExchangeId: 03fe3642-ab5b-4b85-b712-b8ed107f5a71
>     ServiceName: UsernameTokenPolicyHelloService
>     PortName: UsernameTokenPolicyHelloServicePort
>     PortTypeName: UsernameTokenPolicyHelloService
>     Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
>     Payload: <soap:Envelope 
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>   <soap:Header>
>     <wsse:Security 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  soap:mustUnderstand="1">
>       <wsse:UsernameToken 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="UsernameToken-4e64841c-ad35-48fd-b7ee-70e5f978e098">
>         <wsse:Username>cxf-user</wsse:Username>
>         <wsse:Password 
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>secret</wsse:Password>
>         <wsse:Nonce 
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>5rs0Ra3q0FPLXFguajlTwQ==</wsse:Nonce>
>         <wsu:Created>2023-10-05T22:40:54.436Z</wsu:Created>
>       </wsse:UsernameToken>
>     </wsse:Security>
>   </soap:Header>
>   <soap:Body>
>     <ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
>       <arg0>helloUsernameTokenNoMustUnderstand</arg0>
>     </ns2:hello>
>   </soap:Body>
> </soap:Envelope>
> "
> not to contain:
>   "soap:mustUnderstand="1""
> {code}
> Running the same logic with 
> {{quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.enable.streaming
>  = true}} works as expected:
> {code}
> mvnd clean test 
> -Dtest=UsernameTokenSecurityPolicyStaxTest#helloUsernameTokenNoMustUnderstand
> ...
> BUILD SUCCESS
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)