[jira] [Created] (CXF-9205) The org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor invalidates the signed SOAP Header elemements

Thu, 12 Mar 2026 03:23:07 -0700 

Joze Rihtarsic created CXF-9205:
-----------------------------------

             Summary: The 
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor invalidates the 
signed SOAP Header elemements
                 Key: CXF-9205
                 URL: https://issues.apache.org/jira/browse/CXF-9205
             Project: CXF
          Issue Type: Bug
          Components: Bus, Soap Binding
    Affects Versions: 3.5.11, 4.2.0
            Reporter: Joze Rihtarsic
         Attachments: image-2026-03-12-11-15-35-150.png

The _*ReadHeadersInterceptor*_ modifies the SOAP message’s DOM structure by 
copying header attributes from the <S12:Header> elements onto each of its child 
elements. This behavior occurs in the code section around lines 233–248 (cxf 
4.2.0).
!image-2026-03-12-11-15-35-150.png|width=892,height=343!



Given an incoming message such as:
{code:java}
<S12:Envelope xmlns:S12="http://www.w3.org/2003/05/soap-envelope";
              
xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/";
              
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
    <S12:Header testAttribute="test attribute Value">
        <wsse:Security>
            ...
        </wsse:Security>
        <eb:Messaging id="_ebmessaging_N65541">
            ...
        </eb:Messaging>
    </S12:Header>
    <S12:Body>
        ...
    </S12:Body>
</S12:Envelope>{code}

the interceptor transforms it into:

xml
{code:java}
<S12:Envelope xmlns:S12="http://www.w3.org/2003/05/soap-envelope";
              
xmlns:eb="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/";
              
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
    <S12:Header testAttribute="test attribute Value">
        <wsse:Security testAttribute="test attribute Value">
            ...
        </wsse:Security>
        <eb:Messaging testAttribute="test attribute Value" 
id="_ebmessaging_N65541">
            ...
        </eb:Messaging>
    </S12:Header>
    <S12:Body>
        ...
    </S12:Body>
</S12:Envelope>{code}

When any of the header element is signed (e.g. in this case <eb:Messaging>), 
this modification changes the signed content. As a result, the 
WSS4JInInterceptor used for signature validation detects a mismatch and raises 
an Invalid Signature exception.

The proposed fix is simply to remove the problematic block of code. The 
existing comment states:

> // Need to add any attributes that are present on the parent element
> // which otherwise would be lost.

However, these attributes are not lost. They remain correctly attached to the 
<S12:Header> element. The interceptor unnecessarily duplicates them onto each 
child element, which leads to unintended side effects, to invalidate the 
signature of received message

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to