Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-962

Wss4jSecurityInterceptor (wss4j2) validates despite NoSecurity setting

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.3.0
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      When using the class org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor with the property validationActions set to NoSecurity, Spring-WS-Security still tries to validate the message.

      In the method setValidationActions, Apache's WSSecurityUtil decodes the splitted string into Integers representing the actions.

      WSSecurityUtil just returns the internal List if the NoSecurity action is found. The dedicated Integer 0 for NoSecurity is not returned.

      However Wss4jSecurityInterceptor#validateMessage (line 646) decides to bypass validation if the Integer 0 exists in the actions list.

      Assuming that in the case of a NoSecurity validation action, no other validation action makes sense and therefore none else is specified, a fix would be to simply check whether the list is empty (NoSecurity applies).

      Wss4jSecurityInterceptor
      // replace line 646 with the following instruction
      if (validationActionsVector.isEmpty()) {
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              kevin92 Kevin Strobel
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 1h
                1h
                Remaining:
                Remaining Estimate - 1h
                1h
                Logged:
                Time Spent - Not Specified
                Not Specified