Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-961

WSS4J2 Wss4jSecurityInterceptor -> validation configuration errors

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 2.3.0
    • Fix Version/s: 2.4.1, 3.0.0.RELEASE
    • Component/s: Security
    • Labels:
      None

      Description

      In our use case, we don't use any validation, just securement. This used to work in previous Spring WS versions that depend on WSS4J 1.x, without setting the validationActions property. However when upgrading to Spring WS 2.3.0 and WSS4J 2.x our XML configuration fails because of the following two issues:

      a) NullPointerException in validateMessage() because validationActionsVector is not initialized. This field is only initialized if setValidationActions() is invoked, which should not be necessary if validation is not required. NoSecurity should be configured by default.

      b) After configuring validationActions="NoSecurity" our configuration still caused failures (Wss4jSecurityValidationException("No WS-Security header found")), as validation was being attempted anyway. This is due to validationActionsVector being initialized as an empty list by WSSecurityUtil.decodeAction("NoSecurity"). Thus the validationActionsVector.contains(WSConstants.NO_SECURITY) check in validateMessage() fails. An empty vector should be interpreted as no validation required, even if validateRequest or validateResponse are true (which are the defaults)

      We resolved this by setting the following properties, which should not be required for our use case:
      validationActions="NoSecurity"
      validateRequest="false"
      validateResponse="false"

        Issue Links

          Activity

          mads1980 Manuel Dominguez Sarmiento created issue -
          gregturn Greg Turnquist made changes -
          Field Original Value New Value
          Link This issue is superseded by SWS-989 [ SWS-989 ]
          gregturn Greg Turnquist made changes -
          Fix Version/s 3.0.0.RELEASE [ 16498 ]
          Fix Version/s 2.4.1 [ 15717 ]
          Assignee Greg Turnquist [ gregturn ]
          gregturn Greg Turnquist made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Complete [ 8 ]
          gregturn Greg Turnquist made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

            People

            • Assignee:
              gregturn Greg Turnquist
              Reporter:
              mads1980 Manuel Dominguez Sarmiento
            • Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: