[SWS-447] xmlsec-1.4.1 library upgrade from v. 1.4.0 breaks response encryption with Wss4jSecurityInterceptor in spring-ws 1.5.5 release. Created: 12/Nov/08  Updated: 04/May/12  Resolved: 27/Jan/09

Status: Closed
Project: Spring Web Services
Component/s: Security
Affects Version/s: 1.5.5
Fix Version/s: 1.5.6

Type: Bug Priority: Major
Reporter: Paul Dotsenko Assignee: Tareq Abedrabbo
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

spring-ws 1.5.5, spring 2.5.6, Tomcat 6.0.16


Issue Links:
Depends
depends on SWS-477 Upgrade to Wss4j 1.5.5 Closed

 Description   

I have an existing Spring-ws web services implementation which secures both client requests and responses using Wss4jSecurityInterceptor with xml encryption and digital signature. The response is encrypted using the request signature certificate by setting securementEncryptionUser property to "useReqSigCert". After upgrading spring-ws libraries from 1.5.4 to 1.5.5 I also upgraded the bundled apache xmlsec library from 1.4.0 to 1.4.1. A bug in xmlsec1.4.1 or incompatibility between xmlsec1.4.1 and wss4j-1.5.4 libraries broke response payload content encryption using wss4j interceptor - the calling client receives garbled response xml in which some elements that were supposed to be replaced with encrypted content are left un-encrypted. In my testing the problem only occurs on response encryption (request encryption on the client side using the same xmlsec1.4.1 jar seems to work fine).

Rolling back to xmlsec1.4.0 on both server and client fixed the problem (while keeping the rest of spring-ws 1.5.5 jars). I also noticed that the wss4j-1.5.4 binary distribution bundles xmlsec 1.4.0 (not 1.4.1). To avoid the encryption errors I would suggest rolling back the bundled xmlsec jar to version 1.4.0 in spring-ws releases which depend on wss4j-1.5.4.



 Comments   
Comment by Tareq Abedrabbo [ 26/Jan/09 ]

Wss4j 1.5.5 depends on xml-sec 1.4.2 which is supposed to fix this issue.

Comment by Arjen Poutsma [ 27/Jan/09 ]

Upgraded to WSS4J 1.5.5

Comment by Arjen Poutsma [ 04/May/12 ]

Closing old issues

Generated at Mon Dec 18 14:38:59 UTC 2017 using JIRA 6.4.14#64029-sha1:ae256fe0fbb912241490ff1cecfb323ea0905ca5.