ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-486) Streaming code does not process a (non-secured) SOAP Fault correctly
Date Mon, 13 Jan 2014 12:50:04 GMT

    [ https://issues.apache.org/jira/browse/WSS-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869460#comment-13869460
] 

Colm O hEigeartaigh commented on WSS-486:
-----------------------------------------

Hi Marc,

Ok I have merged a fix similar to what the WSS4JInInterceptor does to skip security processing.
I then ran into a bug in Santuario's XMLSecurityStreamReader, which I've fixed. 

The current issue I'm facing is that CXF's StaxUtils is calling "String ns = reader.getNamespaceURI(prefix);",
where prefix="soap". The current event is the END_ELEMENT of "faultcode", and XMLSecEndElementImpl
returns an empty iterator for the "getNamespaces()" method.

Colm.

> Streaming code does not process a (non-secured) SOAP Fault correctly
> --------------------------------------------------------------------
>
>                 Key: WSS-486
>                 URL: https://issues.apache.org/jira/browse/WSS-486
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Colm O hEigeartaigh
>            Assignee: Marc Giger
>             Fix For: 2.0.0
>
>
> The streaming code does not process a non-secured SOAP Fault correctly. I've merged some
code to the PolicyEnforcer to not throw a PolicyValidationException when we are an initiator
+ there is no security header + there is no SOAP Fault. This allows a client to see what the
actual error message is, rather than complain about an insecured response.
> However, there is a bug in the SecurityHeaderInputProcessor, it throws the following
exception:
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: Request is not a valid SOAP
Message
>         at org.apache.wss4j.stax.impl.processor.input.SecurityHeaderInputProcessor.processNextEvent(SecurityHeaderInputProcessor.java:95)
> I can only reproduce in conjunction with CXF. See the following test ("testSOAPFaultError"):
> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/parts/PartsTest.java?view=markup



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message