Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-524

Wss4j security header validation: make header elements check overriddable



    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.5.7
    • Fix Version/s: 1.5.8
    • Component/s: Security
    • Labels:


      My application uses a org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor with validationActions set simply to "UsernameToken" (additionally using SpringPlainTextPasswordValidationCallbackHandler as the validationCallbackHandler, but has no effect on the problem).

      If a web service client sends a request and inside the WS-Security header they include the UsernameToken AND some other element (e.g. Timestamp, like WCF clients do), the validateMessage method always throws a Wss4jSecurityValidationException (line 509, with message of "Security processing failed (actions mismatch)").

      On the preceding line is:
      if(!handler.checkReceiverResults(results, validationActionsVector)) {

      This is a reference to org.springframework.ws.soap.security.wss4j.Wss4JHandler - the implementation of which simply calls the super's (wss4j's WSHandler) checkReceiverResults.

      If the size of the 2 vectors passed into org.apache.ws.security.handler.WSHandler#checkReceiverResults are different, the method always returns false, regardless of the status of each WSSecurityEngineResult (see line 291 - "if (ai >= size" is false, triggering the return false).

      With this example configuration, and a properly formatted request that contains both UsernameToken and Timestamp, in this case those 2 vectors passed into that method have different sizes, as the prior call to securityEngine.processHeader returned the Vector named "results" which has 2 results.

      The question is: where is the bug?

      1. Does the WS-Security specification say that if you have more elements in the header than the endpoint expects, a soap fault should be raised?
      2. If that's not the case, should wss4j be returning false for checkReceiverResults if the input Vectors have different sizes?
      3. If wss4j is doing what it's supposed to, should the spring-ws Wss4JHandler or Wss4jSecurityInterceptor remove results from the result of securityEngine.processHeader that aren't specified in the validationActions property?

      It seems to me that the Timestamp (in my example case) is superfluous and likely can be ignored (unless the security specification says otherwise).




            tareq Tareq Abedrabbo
            nblair Nicholas Blair
            0 Vote for this issue
            0 Start watching this issue