Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-447

xmlsec-1.4.1 library upgrade from v. 1.4.0 breaks response encryption with Wss4jSecurityInterceptor in spring-ws 1.5.5 release.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.5
    • Fix Version/s: 1.5.6
    • Component/s: Security
    • Labels:
      None
    • Environment:
      spring-ws 1.5.5, spring 2.5.6, Tomcat 6.0.16

      Description

      I have an existing Spring-ws web services implementation which secures both client requests and responses using Wss4jSecurityInterceptor with xml encryption and digital signature. The response is encrypted using the request signature certificate by setting securementEncryptionUser property to "useReqSigCert". After upgrading spring-ws libraries from 1.5.4 to 1.5.5 I also upgraded the bundled apache xmlsec library from 1.4.0 to 1.4.1. A bug in xmlsec1.4.1 or incompatibility between xmlsec1.4.1 and wss4j-1.5.4 libraries broke response payload content encryption using wss4j interceptor - the calling client receives garbled response xml in which some elements that were supposed to be replaced with encrypted content are left un-encrypted. In my testing the problem only occurs on response encryption (request encryption on the client side using the same xmlsec1.4.1 jar seems to work fine).

      Rolling back to xmlsec1.4.0 on both server and client fixed the problem (while keeping the rest of spring-ws 1.5.5 jars). I also noticed that the wss4j-1.5.4 binary distribution bundles xmlsec 1.4.0 (not 1.4.1). To avoid the encryption errors I would suggest rolling back the bundled xmlsec jar to version 1.4.0 in spring-ws releases which depend on wss4j-1.5.4.

        Issue Links

          Activity

          pdotsenko Paul Dotsenko created issue -
          arjen.poutsma Arjen Poutsma made changes -
          Field Original Value New Value
          Fix Version/s 1.5.6 [ 11141 ]
          arjen.poutsma Arjen Poutsma made changes -
          Assignee Arjen Poutsma [ arjen.poutsma ] Tareq Abed Rabbo [ tareq ]
          tareq Tareq Abedrabbo made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          tareq Tareq Abedrabbo made changes -
          Link This issue depends on SWS-477 [ SWS-477 ]
          arjen.poutsma Arjen Poutsma made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          arjen.poutsma Arjen Poutsma made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

            People

            • Assignee:
              tareq Tareq Abedrabbo
              Reporter:
              pdotsenko Paul Dotsenko
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: