Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-961

WSS4J2 Wss4jSecurityInterceptor -> validation configuration errors

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 2.3.0
    • Fix Version/s: 2.4.1, 3.0.0.RELEASE
    • Component/s: Security
    • Labels:
      None

      Description

      In our use case, we don't use any validation, just securement. This used to work in previous Spring WS versions that depend on WSS4J 1.x, without setting the validationActions property. However when upgrading to Spring WS 2.3.0 and WSS4J 2.x our XML configuration fails because of the following two issues:

      a) NullPointerException in validateMessage() because validationActionsVector is not initialized. This field is only initialized if setValidationActions() is invoked, which should not be necessary if validation is not required. NoSecurity should be configured by default.

      b) After configuring validationActions="NoSecurity" our configuration still caused failures (Wss4jSecurityValidationException("No WS-Security header found")), as validation was being attempted anyway. This is due to validationActionsVector being initialized as an empty list by WSSecurityUtil.decodeAction("NoSecurity"). Thus the validationActionsVector.contains(WSConstants.NO_SECURITY) check in validateMessage() fails. An empty vector should be interpreted as no validation required, even if validateRequest or validateResponse are true (which are the defaults)

      We resolved this by setting the following properties, which should not be required for our use case:
      validationActions="NoSecurity"
      validateRequest="false"
      validateResponse="false"

        Issue Links

          Activity

          Hide
          Vity Vity added a comment -

          Thank you, upgraded successfully.

          Show
          Vity Vity added a comment - Thank you, upgraded successfully.
          Hide
          gregturn Greg Turnquist added a comment -

          I'd suggest setting:

          spring-ws.version=2.4.1.RELEASE
          

          and giving it a whirl in your existing application.

          Depending on whether you are using Maven or Gradle, this is done differently.

          Show
          gregturn Greg Turnquist added a comment - I'd suggest setting: spring-ws.version=2.4.1.RELEASE and giving it a whirl in your existing application. Depending on whether you are using Maven or Gradle, this is done differently.
          Hide
          Vity Vity added a comment -

          @jaminh @greg turniquist thanks to both of you.
          I am using Spring Boot 1.5.8 (spring-boot-starter-web-services 1.5.8) which still includes version 2.4.0. Shall I wait for the next Spring Boot WS starter release or shall I override the version?

          Show
          Vity Vity added a comment - @jaminh @greg turniquist thanks to both of you. I am using Spring Boot 1.5.8 (spring-boot-starter-web-services 1.5.8) which still includes version 2.4.0. Shall I wait for the next Spring Boot WS starter release or shall I override the version?
          Hide
          gregturn Greg Turnquist added a comment -

          Resolved by SWS-989 in 2.x and SWS-1008 in 3.0

          Show
          gregturn Greg Turnquist added a comment - Resolved by SWS-989 in 2.x and SWS-1008 in 3.0
          Hide
          jaminh jaminh added a comment -

          This issue was addressed as part of https://jira.spring.io/browse/SWS-989.

          Show
          jaminh jaminh added a comment - This issue was addressed as part of https://jira.spring.io/browse/SWS-989 .

            People

            • Assignee:
              gregturn Greg Turnquist
              Reporter:
              mads1980 Manuel Dominguez Sarmiento
            • Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: