Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-193

XwsSecurityInterceptor : funtionality for skipping the validate of a SOAP message when there are no WSSE headers in SOAP envelope.

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 1.0
    • Fix Version/s: 2.0 M2
    • Component/s: Security
    • Labels:
      None

      Description

      Is it possible to skip the validateMessage(SoapMessage soapMessage) when a SOAP message has no WSSE headers?
      I'm building a web service which have to support multiple authentication mechanisms, such as X509 client certificates, BASIC authentication.
      All mechanisms are implemented using Acegi Security.

      As workaround i have built an endpoint interceptor that will look for a WSSE security header in the SOAP envelope and decides to continue or stops processing.

        Activity

        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        You can achieve this by creating two separate endpoint mappings: one with the XwsSecurityInterceptor which require WS-Security, and one without it. The airline sample does this. The trick is to have some differentiator between the WS-Security endpoints and the BASIC auth endpoints. Perhaps a different URL?

        Skipping the WS-Security headers when they are not present basically makes the headers optional, and that could result in a security leak.

        Show
        arjen.poutsma Arjen Poutsma added a comment - You can achieve this by creating two separate endpoint mappings: one with the XwsSecurityInterceptor which require WS-Security, and one without it. The airline sample does this. The trick is to have some differentiator between the WS-Security endpoints and the BASIC auth endpoints. Perhaps a different URL? Skipping the WS-Security headers when they are not present basically makes the headers optional, and that could result in a security leak.
        Hide
        avthart Albert van 't Hart added a comment -

        The airline sample uses different endpoint mapping (marshalling endpoint, payload endpoint and annotation endpoint).
        I have one endpoint; PayloadRootAnnotationMethodEndpointMapping using JAXB2 Marshalling.

        By configuring two different URLs, results in two MessageDispatchers servlets for each instance a configuration file.

        There by we now have created a fallback mechanism on one URL, because we have a lot of different clients (users).
        Some users wants to do SOAP authentication (WS-Security) and other users can only do BASIC authentication.

        We use the MethodSecurityInterceptor from Acegi to handle the authentication and authorization.
        So when there is no (authenticated) authentication object in the security context, this results in an AuthenticationException wich maps to a SOAP fault. When configuring the application in this way there can not be a security leak (i think).

        I do not want to change the default behaviour of the XwsSecurityInterceptor, but is it possible to configure the interceptor to skip the validating?
        The AcegiPlainTextPasswordValidationCallbackHandler can also be configured to ignore authentication failures, this is also a possible security leak then?

        Well let me know what you think?
        Thanks.

        Show
        avthart Albert van 't Hart added a comment - The airline sample uses different endpoint mapping (marshalling endpoint, payload endpoint and annotation endpoint). I have one endpoint; PayloadRootAnnotationMethodEndpointMapping using JAXB2 Marshalling. By configuring two different URLs, results in two MessageDispatchers servlets for each instance a configuration file. There by we now have created a fallback mechanism on one URL, because we have a lot of different clients (users). Some users wants to do SOAP authentication (WS-Security) and other users can only do BASIC authentication. We use the MethodSecurityInterceptor from Acegi to handle the authentication and authorization. So when there is no (authenticated) authentication object in the security context, this results in an AuthenticationException wich maps to a SOAP fault. When configuring the application in this way there can not be a security leak (i think). I do not want to change the default behaviour of the XwsSecurityInterceptor, but is it possible to configure the interceptor to skip the validating? The AcegiPlainTextPasswordValidationCallbackHandler can also be configured to ignore authentication failures, this is also a possible security leak then? Well let me know what you think? Thanks.
        Hide
        lafeuil Thomas Champagne added a comment -

        Hello

        I have a similar problem and I don't understant why this feature has not been implemented for 2 years.

        For me, I would like to implement an endpoint with an optional authentication.
        When there isn't an authentication, the endpoint answers public data of an object.
        But When there is an authentication, the endpoint answers public data with private data of an object.

        For example : With a method getBooks that return a list of books. When there is an authentification, the method indicates whether the user is a fan of the book.
        With no authentication the response is :

        <GetBooksResponse>
          <book>
            <title>The Tragedy of Hamlet</title>
          </book>
          <book>
            <title>Little Red Riding Hood</title>
          </book>
        </GetBooksResponse>

        With authentification, the response is :

        <GetBooksResponse>
          <book>
            <title>The Tragedy of Hamlet</title>
            <favorite>true</favorite>
          </book>
          <book>
            <title>Little Red Riding Hood</title>
          </book>
        </GetBooksResponse>

        Tell me if you are agree with this idea.
        Thomas

        Show
        lafeuil Thomas Champagne added a comment - Hello I have a similar problem and I don't understant why this feature has not been implemented for 2 years. For me, I would like to implement an endpoint with an optional authentication. When there isn't an authentication, the endpoint answers public data of an object. But When there is an authentication, the endpoint answers public data with private data of an object. For example : With a method getBooks that return a list of books. When there is an authentification, the method indicates whether the user is a fan of the book. With no authentication the response is : < GetBooksResponse > < book > < title >The Tragedy of Hamlet</ title > </ book > < book > < title >Little Red Riding Hood</ title > </ book > </ GetBooksResponse > With authentification, the response is : < GetBooksResponse > < book > < title >The Tragedy of Hamlet</ title > < favorite >true</ favorite > </ book > < book > < title >Little Red Riding Hood</ title > </ book > </ GetBooksResponse > Tell me if you are agree with this idea. Thomas
        Hide
        tareq Tareq Abedrabbo added a comment -

        I've just added a skipValidationIfNoHeaderPresent property to AbstractWsSecurityInterceptor, which defaults to false, but when set to true skips validation if no WS-Security header is present.

        Show
        tareq Tareq Abedrabbo added a comment - I've just added a skipValidationIfNoHeaderPresent property to AbstractWsSecurityInterceptor, which defaults to false, but when set to true skips validation if no WS-Security header is present.
        Hide
        lafeuil Thomas Champagne added a comment -

        I tested your code and it's nice for me.
        Thanks for your fix.

        Show
        lafeuil Thomas Champagne added a comment - I tested your code and it's nice for me. Thanks for your fix.
        Hide
        tareq Tareq Abedrabbo added a comment -

        Thank you for the feedback.

        Show
        tareq Tareq Abedrabbo added a comment - Thank you for the feedback.
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        Closing old issues

        Show
        arjen.poutsma Arjen Poutsma added a comment - Closing old issues

          People

          • Assignee:
            tareq Tareq Abedrabbo
            Reporter:
            avthart Albert van 't Hart
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: