Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-447

xmlsec-1.4.1 library upgrade from v. 1.4.0 breaks response encryption with Wss4jSecurityInterceptor in spring-ws 1.5.5 release.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.5
    • Fix Version/s: 1.5.6
    • Component/s: Security
    • Labels:
      None
    • Environment:
      spring-ws 1.5.5, spring 2.5.6, Tomcat 6.0.16

      Description

      I have an existing Spring-ws web services implementation which secures both client requests and responses using Wss4jSecurityInterceptor with xml encryption and digital signature. The response is encrypted using the request signature certificate by setting securementEncryptionUser property to "useReqSigCert". After upgrading spring-ws libraries from 1.5.4 to 1.5.5 I also upgraded the bundled apache xmlsec library from 1.4.0 to 1.4.1. A bug in xmlsec1.4.1 or incompatibility between xmlsec1.4.1 and wss4j-1.5.4 libraries broke response payload content encryption using wss4j interceptor - the calling client receives garbled response xml in which some elements that were supposed to be replaced with encrypted content are left un-encrypted. In my testing the problem only occurs on response encryption (request encryption on the client side using the same xmlsec1.4.1 jar seems to work fine).

      Rolling back to xmlsec1.4.0 on both server and client fixed the problem (while keeping the rest of spring-ws 1.5.5 jars). I also noticed that the wss4j-1.5.4 binary distribution bundles xmlsec 1.4.0 (not 1.4.1). To avoid the encryption errors I would suggest rolling back the bundled xmlsec jar to version 1.4.0 in spring-ws releases which depend on wss4j-1.5.4.

        Issue Links

          Activity

          pdotsenko Paul Dotsenko created issue -
          arjen.poutsma Arjen Poutsma made changes -
          Field Original Value New Value
          Fix Version/s 1.5.6 [ 11141 ]
          arjen.poutsma Arjen Poutsma made changes -
          Assignee Arjen Poutsma [ arjen.poutsma ] Tareq Abed Rabbo [ tareq ]
          tareq Tareq Abedrabbo made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          tareq Tareq Abedrabbo made changes -
          Link This issue depends on SWS-477 [ SWS-477 ]
          Hide
          tareq Tareq Abedrabbo added a comment -

          Wss4j 1.5.5 depends on xml-sec 1.4.2 which is supposed to fix this issue.

          Show
          tareq Tareq Abedrabbo added a comment - Wss4j 1.5.5 depends on xml-sec 1.4.2 which is supposed to fix this issue.
          Hide
          arjen.poutsma Arjen Poutsma added a comment -

          Upgraded to WSS4J 1.5.5

          Show
          arjen.poutsma Arjen Poutsma added a comment - Upgraded to WSS4J 1.5.5
          arjen.poutsma Arjen Poutsma made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          arjen.poutsma Arjen Poutsma added a comment -

          Closing old issues

          Show
          arjen.poutsma Arjen Poutsma added a comment - Closing old issues
          arjen.poutsma Arjen Poutsma made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open In Progress In Progress
          54d 6h 33m 1 Tareq Abedrabbo 06/Jan/09 6:18 AM
          In Progress In Progress Resolved Resolved
          20d 18h 11m 1 Arjen Poutsma 27/Jan/09 12:30 AM
          Resolved Resolved Closed Closed
          1193d 6h 33m 1 Arjen Poutsma 04/May/12 7:03 AM

            People

            • Assignee:
              tareq Tareq Abedrabbo
              Reporter:
              pdotsenko Paul Dotsenko
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: