[jira] [Created] (CXF-6144) WS-Security fails if body has signature on WSS4JInInterceptor

Tue, 09 Dec 2014 03:59:34 -0800 

Ruud de Jong created CXF-6144:
---------------------------------

             Summary: WS-Security fails if body has signature on 
WSS4JInInterceptor
                 Key: CXF-6144
                 URL: https://issues.apache.org/jira/browse/CXF-6144
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.7.9
         Environment: Any
            Reporter: Ruud de Jong


If a WebService has WS-Security with the soap body as part of the signature, 
the incoming security check (by the WSS4JInInterceptor) will break.
This bugs was introduced in 2.7.9 and is still present in the current codebase 
(3.0.3).
This problem is caused by the WSS4JInInterceptor. It uses the 
"SAAJInInterceptor.INSTANCE.handleMessage(msg)" on getSOAPMessage to convert a 
CXF SoapMessage to a javax.xml.soap.SOAPMessage.
During this conversion, the SAAJInInterceptor add an empty text-node at the end 
of the soap-body.
This breaks when the soap-body is part of the signature.

The old 2.7.8 version of the SAAJInInterceptor did (line 223:) 
StaxUtils.readDocElements(soapMessage.getSOAPPart().getEnvelope().getBody(), 
xmlReader, true, true);
The new 2.7.9 version does (line 140:)
StaxUtils.copy(xmlReader1, new SAAJStreamWriter(e.getSOAPPart(), 
e.getSOAPPart().getEnvelope().getBody()), true, true);

If I use XmlDebug in WSS4JInInterceptor right after this call, the old version 
returns:
   soapenv:Body/"" wsu:Id=id-DAA3E142F565CE51EF1418124875319916 
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
      ns:genereerProduct/""
         ns:productRequest/""
            ns:klantreferentie/""
               #text/"123"
            ns:productnaam/""
               #text/"456"
            ns:productversie/""
               #text/"789"
            ns:productsleutel/""
               ns:kvkNummer/""
                  #text/"33333333"
   #text/"\n"
   #text/"\n"

while the new version returns:
   soapenv:Body/"" wsu:Id=id-DAA3E142F565CE51EF1418124875319916 
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
      ns:genereerProduct/""
         ns:productRequest/""
            ns:klantreferentie/""
               #text/"123"
            ns:productnaam/""
               #text/"456"
            ns:productversie/""
               #text/"789"
            ns:productsleutel/""
               ns:kvkNummer/""
                  #text/"33333333"
      #text/"\n"
   #text/"\n"
   #text/"\n"

Notice the additional #text/"\n" inside the body.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to