Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-448

Wss4jSecurityInterceptor accept messages when <wsse:header> is empty

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.5.5
    • Fix Version/s: 1.5.6
    • Component/s: Security
    • Labels:
      None
    • Environment:
      UsernameToken profile
      X.509 Token Profile

      Description

      http://forum.springframework.org/showthread.php?t=63553

      The problem is when Wss4jSecurityInterceptor is used in the server side, to validate username token (or signature).

      Everything looks fine except when a <wsse:header> empty is sent. The Interceptor lets the messsage goes and don't
      throw any exceptions.

      As an attachment, I'm sending a maven project with JUnit tests to prove the case. The project is a very simple web service
      based on the tutorial sample. I just configure the wss4j interceptor for validate username token.

      The only test thats doesn't pass is the last 'testSendMessageWithEmptyWsseHeader'

      Sorry for my english... it isn't my native language.

      1. SWS-448.patch
        3 kB
        Tareq Abedrabbo

        Activity

        Hide
        tareq Tareq Abedrabbo added a comment -

        Strangely enough, WSHandler.checkReceiverResults doesn't check for this.
        Michel, thanks a lot for pointing this out.

        Show
        tareq Tareq Abedrabbo added a comment - Strangely enough, WSHandler.checkReceiverResults doesn't check for this. Michel, thanks a lot for pointing this out.
        Hide
        peterarockiaraj Peter Arockiaraj added a comment -

        Even I'm facing same problem. I am using sping-ws-secuirty-1.5.6.jar only for this. Can you please check and update me?

        Show
        peterarockiaraj Peter Arockiaraj added a comment - Even I'm facing same problem. I am using sping-ws-secuirty-1.5.6.jar only for this. Can you please check and update me?
        Hide
        michelz Michel Zanini added a comment -

        Peter,

        Check if you're using wss4j 1.5.4+ ... this bug was originally from wss4j:
        http://issues.apache.org/jira/browse/WSS-70

        Show
        michelz Michel Zanini added a comment - Peter, Check if you're using wss4j 1.5.4+ ... this bug was originally from wss4j: http://issues.apache.org/jira/browse/WSS-70
        Hide
        tareq Tareq Abedrabbo added a comment -

        Hi Peter,

        The sample you attached uses 2 endpoint mappings and I'm not sure your security interceptor is attached to the right one. Could you clean up your sample and try again?

        Thanks,

        Show
        tareq Tareq Abedrabbo added a comment - Hi Peter, The sample you attached uses 2 endpoint mappings and I'm not sure your security interceptor is attached to the right one. Could you clean up your sample and try again? Thanks,
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        Closing old issues

        Show
        arjen.poutsma Arjen Poutsma added a comment - Closing old issues

          People

          • Assignee:
            tareq Tareq Abedrabbo
            Reporter:
            michelz Michel Zanini
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: