Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-447

xmlsec-1.4.1 library upgrade from v. 1.4.0 breaks response encryption with Wss4jSecurityInterceptor in spring-ws 1.5.5 release.


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.5
    • Fix Version/s: 1.5.6
    • Component/s: Security
    • Labels:
    • Environment:
      spring-ws 1.5.5, spring 2.5.6, Tomcat 6.0.16


      I have an existing Spring-ws web services implementation which secures both client requests and responses using Wss4jSecurityInterceptor with xml encryption and digital signature. The response is encrypted using the request signature certificate by setting securementEncryptionUser property to "useReqSigCert". After upgrading spring-ws libraries from 1.5.4 to 1.5.5 I also upgraded the bundled apache xmlsec library from 1.4.0 to 1.4.1. A bug in xmlsec1.4.1 or incompatibility between xmlsec1.4.1 and wss4j-1.5.4 libraries broke response payload content encryption using wss4j interceptor - the calling client receives garbled response xml in which some elements that were supposed to be replaced with encrypted content are left un-encrypted. In my testing the problem only occurs on response encryption (request encryption on the client side using the same xmlsec1.4.1 jar seems to work fine).

      Rolling back to xmlsec1.4.0 on both server and client fixed the problem (while keeping the rest of spring-ws 1.5.5 jars). I also noticed that the wss4j-1.5.4 binary distribution bundles xmlsec 1.4.0 (not 1.4.1). To avoid the encryption errors I would suggest rolling back the bundled xmlsec jar to version 1.4.0 in spring-ws releases which depend on wss4j-1.5.4.


          Issue Links



              • Assignee:
                tareq Tareq Abedrabbo
                pdotsenko Paul Dotsenko
              • Votes:
                0 Vote for this issue
                0 Start watching this issue


                • Created: