Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-961

WSS4J2 Wss4jSecurityInterceptor -> validation configuration errors

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 2.3.0
    • Fix Version/s: 2.4.1, 3.0.0.RELEASE
    • Component/s: Security
    • Labels:
      None

      Description

      In our use case, we don't use any validation, just securement. This used to work in previous Spring WS versions that depend on WSS4J 1.x, without setting the validationActions property. However when upgrading to Spring WS 2.3.0 and WSS4J 2.x our XML configuration fails because of the following two issues:

      a) NullPointerException in validateMessage() because validationActionsVector is not initialized. This field is only initialized if setValidationActions() is invoked, which should not be necessary if validation is not required. NoSecurity should be configured by default.

      b) After configuring validationActions="NoSecurity" our configuration still caused failures (Wss4jSecurityValidationException("No WS-Security header found")), as validation was being attempted anyway. This is due to validationActionsVector being initialized as an empty list by WSSecurityUtil.decodeAction("NoSecurity"). Thus the validationActionsVector.contains(WSConstants.NO_SECURITY) check in validateMessage() fails. An empty vector should be interpreted as no validation required, even if validateRequest or validateResponse are true (which are the defaults)

      We resolved this by setting the following properties, which should not be required for our use case:
      validationActions="NoSecurity"
      validateRequest="false"
      validateResponse="false"

        Issue Links

          Activity

          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Resolved Resolved
          499d 1h 14m 1 Greg Turnquist 30/Oct/17 2:53 PM
          Resolved Resolved Closed Closed
          4s 1 Greg Turnquist 30/Oct/17 2:53 PM

            People

            • Assignee:
              gregturn Greg Turnquist
              Reporter:
              mads1980 Manuel Dominguez Sarmiento
            • Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: