Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-661

XwsSecurityInterceptor.processor.handler incorrect and does not match XwsSecurityInterceptor.callbackHandler


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Deferred
    • Affects Version/s: 1.5.8
    • Fix Version/s: None
    • Component/s: Security
    • Labels:


      In my client I have a Facade class that provides a simplified facade client API to my service.
      The Facade class uses a WebServiceTemplate with a XwsSecurityInterceptor to use WSS for basic authentication.
      There are multiple instances of the Facade in my client so it can talk to multiple services.
      Therefor I use scope="prototype" for the beans supporting the Facade class.

      At runtime I observe that the wrong handler is being called during authentication sequence. Upon debugging I observe that the XwsSecurityInterceptor.processor.handler is set incorrectly for the XwsSecurityInterceptor and does not match XwsSecurityInterceptor.callbackHandler. Thus authentication fails to behave correctly.

      I suspect that multiple beans (due to scope="prototype") are somehow tripping some code and mixing up or overwriting the XwsSecurityInterceptor.processor.handler or possibly XwsSecurityInterceptor.processor.

      Note the hack in bean config is because there was no way to get the callbackHandler from the XwsSecurityInterceptor in spring-ws-secuurity-1.5.8 so I set it within the constructor of Facade overwriting the handler set in bean configuration. I set the "real" handler outside bean config because I could not figure out how to use a ref to the same prototype scoped CallbackHandlerImpl bean in both the facade and the clientSecurityInterceptor (it sets two different instances otherwise).

          <bean id="jaxb2Marshaller" class="org.springframework.oxm.jaxb.Jaxb2Marshaller">
          <bean id="facade" class="org.acme.client.Facade" scope="prototype">
              <property name="webServiceTemplate"  ref="soapWebServiceTemplate"/>
          <bean id="soapWebServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate" scope="prototype">
            <property name="marshaller" ref="jaxb2Marshaller"/>
            <property name="unmarshaller" ref="jaxb2Marshaller"/>
            <property name="interceptors" ref="clientSecurityInterceptor"/>
          <bean id="clientSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor" scope="prototype">
              <property name="secureResponse" value="false"/>
              <property name="policyConfiguration" value="classpath:clientSecurityPolicy.xml"/>
              Hack: This handler instance is replaced by handler in FacadeWSImpl and exist only to satisfy assertion in 
              <property name="callbackHandler" ref="callbackHandler"/>
          <bean id="callbackHandler" class="org.acme.client.CallbackHandlerImpl" scope="singleton" />




            • Assignee:
              tareq Tareq Abedrabbo
              farrukh_najmi Farrukh Najmi
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: