Affects Version/s: 1.5.6
Fix Version/s: 1.5.7
Environment:Spring-ws 1.5.6, spring-2.5.6, Axiom soap message factory, Wss4j 1.5.5 security interceptor, Java 5, Tomcat 6.0.16
I upgraded an existing spring-ws app from 1.5.5 to 1.5.6, and also upgraded dependencies bundled in the with-dependencies release, specifically upgraded wss4j jar from 1.5.4 to 1.5.5 and xmlsec from 1.4.0 to 1.4.2. Now wss4j 1.5.5 somehow strips out my custom SOAP headers on the client side from the request message. Both client and server use spring-ws, I am using Axiom soap message factory (payloadCaching=true), Wss4j for ws-security, running the application in Tomcat 6 with Sun Java 5 jvm.
Rolling back wss4j libs to wss4j-1.5.4.jar and xmlsec-1.4.0.jar fixes the problem (keeping the other spring-ws 1.5.6 release jars), therefore I suspect this is a Wss4j-1.5.5 bug, but other causes are possible (see other observations below). Proposed solution: roll back the bundled Wss4j jars to wss4j 1.5.4 and xmlsec 1.4.0.
1. Sending the SOAP request using soapUI instead of the spring-ws client fixes the problem, proving that the headers are stripped by the spring-ws client.
2. Removing Wss4j security interceptor fixes the problem.
3. Switching to SaajSoapMessageFactory fixes the problem.
4. Spring-ws client trace logger logs the sent SOAP message WITH the custom soap headers intact, so the headers are stripped after the logging code is executed.
Attached is a sample that reproduces the problem. The sample is a slightly modified echo spring-ws sample pre-configured as an Eclipse project folder. The echo sample was modified to use Wss4j security interceptor, Axiom Soap message factory and I added the code to add custom Soap headers. To reproduce, import the sample into an Eclipse 3.* workspace, deploy spring-ws-echo war to a servlet container, and run org.echo.client.sws.EchoClient as Java applicatio. The logged Soap request on the client contains the "customSoapHeader" header element, but on the server side the same request Soap message is missing this header.