Moderate severityNVD Advisory· Published Mar 12, 2013· Updated Apr 29, 2026
CVE-2012-5633
CVE-2012-5633
Description
The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxfMaven | < 2.5.8 | 2.5.8 |
org.apache.cxf:cxfMaven | >= 2.6.0, < 2.6.5 | 2.6.5 |
org.apache.cxf:cxfMaven | >= 2.7.0, < 2.7.2 | 2.7.2 |
Affected products
15cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*range: <=2.5.7
- cpe:2.3:a:apache:cxf:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.1:*:*:*:*:*:*:*
Patches
70cbc56618b60Merged revisions 1420756 via git cherry-pick from
7 files changed · +551 −3
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java+7 −3 modified@@ -186,15 +186,19 @@ public Object getProperty(Object msgContext, String key) { } public final boolean isGET(SoapMessage message) { String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD); - return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null; + boolean isGet = + "GET".equals(method) && message.getContent(XMLStreamReader.class) == null; + if (isGet) { + //make sure we skip the URIMapping as we cannot apply security requirements to that + message.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); + } + return isGet; } public void handleMessage(SoapMessage msg) throws Fault { if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) { return; } - //make sure we skip the URIMapping as we cannot apply security requirements to that - msg.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); msg.put(SECURITY_PROCESSED, Boolean.TRUE); boolean utWithCallbacks =
systests/ws-security/pom.xml+5 −0 modified@@ -124,6 +124,11 @@ <artifactId>cxf-rt-frontend-jaxws</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.cxf</groupId> + <artifactId>cxf-rt-frontend-jaxrs</artifactId> + <version>${project.version}</version> + </dependency> <dependency> <groupId>org.apache.cxf</groupId>
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/httpget/HTTPGetTest.java+216 −0 added@@ -0,0 +1,216 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.httpget; + +import java.net.URL; +import java.util.HashMap; +import java.util.Map; + +import javax.crypto.Cipher; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import javax.xml.namespace.QName; +import javax.xml.ws.Service; + +import org.apache.cxf.Bus; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.jaxrs.client.WebClient; +import org.apache.cxf.jaxrs.ext.xml.XMLSource; +import org.apache.cxf.systest.ws.common.SecurityTestUtil; +import org.apache.cxf.systest.ws.httpget.server.Server; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor; +import org.example.contract.doubleit.DoubleItPortType; +import org.junit.BeforeClass; + +/** + * A set of tests for CXF-4629. + */ +public class HTTPGetTest extends AbstractBusClientServerTestBase { + public static final String PORT = allocatePort(Server.class); + + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt"; + private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); + + private boolean unrestrictedPoliciesInstalled = checkUnrestrictedPoliciesInstalled(); + + @BeforeClass + public static void startServers() throws Exception { + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(Server.class, true) + ); + } + + @org.junit.AfterClass + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + stopAllServers(); + } + + @org.junit.Test + public void testSOAPClientSecurityPolicy() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = HTTPGetTest.class.getResource("DoubleItHTTPGet.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItKeyIdentifierPort"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, PORT); + int result = x509Port.doubleIt(25); + assertEquals(result, 50); + + bus.shutdown(true); + } + + @org.junit.Test + public void testHTTPGetClientSecurityPolicy() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "http://localhost:" + PORT + "/DoubleItX509KeyIdentifier/DoubleIt"; + WebClient client = WebClient.create(address); + client.query("numberToDouble", "20"); + + try { + client.get(XMLSource.class); + fail("Failure expected on security policy failure"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + @org.junit.Test + public void testSignedBodyTimestamp() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = HTTPGetTest.class.getResource("DoubleItHTTPGet.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSignBodyPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" + + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-" + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + int result = port.doubleIt(25); + assertEquals(result, 50); + + bus.shutdown(true); + } + + @org.junit.Test + public void testHTTPGetSignedBody() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "http://localhost:" + PORT + "/DoubleItSignBody/DoubleIt"; + WebClient client = WebClient.create(address); + client.query("numberToDouble", "20"); + /* + XMLSource result = client.get(XMLSource.class); + result.setBuffering(true); + + String input = result.getNode("//doubledNumber", String.class); + assertTrue(input.startsWith("<doubledNumber>40")); + */ + + try { + client.get(XMLSource.class); + fail("Failure expected on security policy failure"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + + private boolean checkUnrestrictedPoliciesInstalled() { + try { + byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}; + + SecretKey key192 = new SecretKeySpec( + new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}, + "AES"); + Cipher c = Cipher.getInstance("AES"); + c.init(Cipher.ENCRYPT_MODE, key192); + c.doFinal(data); + return true; + } catch (Exception e) { + // + } + return false; + } + +}
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/httpget/server/Server.java+41 −0 added@@ -0,0 +1,41 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.httpget.server; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class Server extends AbstractBusTestServerBase { + + public Server() { + + } + + protected void run() { + URL busFile = Server.class.getResource("server.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + } +}
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/client/client.xml+55 −0 added@@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:jaxws="http://cxf.apache.org/jaxws" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:p="http://cxf.apache.org/policy" + xmlns:sec="http://cxf.apache.org/configuration/security" + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd" +> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItKeyIdentifierPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + <entry key="ws-security.encryption.username" value="bob"/> + </jaxws:properties> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignBodyPort" + createdFromAPI="true"> + </jaxws:client> + +</beans>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl+138 −0 added@@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<wsdl:definitions name="DoubleIt" + xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" + xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt" + targetNamespace="http://www.example.org/contract/DoubleIt" + xmlns:wsp="http://www.w3.org/ns/ws-policy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsaws="http://www.w3.org/2005/08/addressing" + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" + xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"> + + <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" + namespace="http://www.example.org/contract/DoubleIt"/> + + <wsdl:binding name="DoubleItKeyIdentifierBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItKeyIdentifierPolicy" /> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http" /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + + <wsdl:binding name="DoubleItNoSecurityBinding" type="tns:DoubleItPortType"> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http" /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + + <wsdl:service name="DoubleItService"> + <wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding"> + <soap:address location="http://localhost:9001/DoubleItX509KeyIdentifier" /> + </wsdl:port> + <wsdl:port name="DoubleItSignBodyPort" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignBody" /> + </wsdl:port> + </wsdl:service> + + <wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + <sp:RequireKeyIdentifierReference /> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic256/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + +</wsdl:definitions>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/server/server.xml+89 −0 added@@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:jaxws="http://cxf.apache.org/jaxws" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" + xmlns:sec="http://cxf.apache.org/configuration/security" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:p="http://cxf.apache.org/policy" + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd + "> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <jaxws:endpoint + id="KeyIdentifier" + address="http://localhost:${testutil.ports.Server}/DoubleItX509KeyIdentifier" + serviceName="s:DoubleItService" + endpointName="s:DoubleItKeyIdentifierPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl"> + + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + </jaxws:properties> + + </jaxws:endpoint> + + <jaxws:endpoint + id="SignBody" + address="http://localhost:${testutil.ports.Server}/DoubleItSignBody" + serviceName="s:DoubleItService" + endpointName="s:DoubleItSignBodyPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl"> + + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature Timestamp"/> + <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="passwordCallbackClass" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + <!--<bean class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker"/>--> + </jaxws:inInterceptors> + </jaxws:endpoint> + + +</beans>
e0cdf873942bMerged revisions 1420698 via git cherry-pick from
7 files changed · +551 −3
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java+7 −3 modified@@ -182,15 +182,19 @@ public Object getProperty(Object msgContext, String key) { } public final boolean isGET(SoapMessage message) { String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD); - return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null; + boolean isGet = + "GET".equals(method) && message.getContent(XMLStreamReader.class) == null; + if (isGet) { + //make sure we skip the URIMapping as we cannot apply security requirements to that + message.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); + } + return isGet; } public void handleMessage(SoapMessage msg) throws Fault { if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) { return; } - //make sure we skip the URIMapping as we cannot apply security requirements to that - msg.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); msg.put(SECURITY_PROCESSED, Boolean.TRUE); boolean utWithCallbacks =
systests/ws-security/pom.xml+5 −0 modified@@ -119,6 +119,11 @@ <artifactId>cxf-rt-frontend-jaxws</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.cxf</groupId> + <artifactId>cxf-rt-frontend-jaxrs</artifactId> + <version>${project.version}</version> + </dependency> <dependency> <groupId>org.apache.cxf</groupId>
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/httpget/HTTPGetTest.java+216 −0 added@@ -0,0 +1,216 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.httpget; + +import java.net.URL; +import java.util.HashMap; +import java.util.Map; + +import javax.crypto.Cipher; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import javax.xml.namespace.QName; +import javax.xml.ws.Service; + +import org.apache.cxf.Bus; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.jaxrs.client.WebClient; +import org.apache.cxf.jaxrs.ext.xml.XMLSource; +import org.apache.cxf.systest.ws.common.SecurityTestUtil; +import org.apache.cxf.systest.ws.httpget.server.Server; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor; +import org.example.contract.doubleit.DoubleItPortType; +import org.junit.BeforeClass; + +/** + * A set of tests for CXF-4629. + */ +public class HTTPGetTest extends AbstractBusClientServerTestBase { + public static final String PORT = allocatePort(Server.class); + + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt"; + private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); + + private boolean unrestrictedPoliciesInstalled = checkUnrestrictedPoliciesInstalled(); + + @BeforeClass + public static void startServers() throws Exception { + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(Server.class, true) + ); + } + + @org.junit.AfterClass + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + stopAllServers(); + } + + @org.junit.Test + public void testSOAPClientSecurityPolicy() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = HTTPGetTest.class.getResource("DoubleItHTTPGet.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItKeyIdentifierPort"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, PORT); + int result = x509Port.doubleIt(25); + assertEquals(result, 50); + + bus.shutdown(true); + } + + @org.junit.Test + public void testHTTPGetClientSecurityPolicy() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "http://localhost:" + PORT + "/DoubleItX509KeyIdentifier/DoubleIt"; + WebClient client = WebClient.create(address); + client.query("numberToDouble", "20"); + + try { + client.get(XMLSource.class); + fail("Failure expected on security policy failure"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + @org.junit.Test + public void testSignedBodyTimestamp() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = HTTPGetTest.class.getResource("DoubleItHTTPGet.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSignBodyPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" + + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-" + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + int result = port.doubleIt(25); + assertEquals(result, 50); + + bus.shutdown(true); + } + + @org.junit.Test + public void testHTTPGetSignedBody() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "http://localhost:" + PORT + "/DoubleItSignBody/DoubleIt"; + WebClient client = WebClient.create(address); + client.query("numberToDouble", "20"); + /* + XMLSource result = client.get(XMLSource.class); + result.setBuffering(true); + + String input = result.getNode("//doubledNumber", String.class); + assertTrue(input.startsWith("<doubledNumber>40")); + */ + + try { + client.get(XMLSource.class); + fail("Failure expected on security policy failure"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + + private boolean checkUnrestrictedPoliciesInstalled() { + try { + byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}; + + SecretKey key192 = new SecretKeySpec( + new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}, + "AES"); + Cipher c = Cipher.getInstance("AES"); + c.init(Cipher.ENCRYPT_MODE, key192); + c.doFinal(data); + return true; + } catch (Exception e) { + // + } + return false; + } + +}
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/httpget/server/Server.java+41 −0 added@@ -0,0 +1,41 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.httpget.server; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class Server extends AbstractBusTestServerBase { + + public Server() { + + } + + protected void run() { + URL busFile = Server.class.getResource("server.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + } +}
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/client/client.xml+55 −0 added@@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:jaxws="http://cxf.apache.org/jaxws" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:p="http://cxf.apache.org/policy" + xmlns:sec="http://cxf.apache.org/configuration/security" + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd" +> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItKeyIdentifierPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + <entry key="ws-security.encryption.username" value="bob"/> + </jaxws:properties> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignBodyPort" + createdFromAPI="true"> + </jaxws:client> + +</beans>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl+138 −0 added@@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<wsdl:definitions name="DoubleIt" + xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" + xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt" + targetNamespace="http://www.example.org/contract/DoubleIt" + xmlns:wsp="http://www.w3.org/ns/ws-policy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsaws="http://www.w3.org/2005/08/addressing" + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" + xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"> + + <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" + namespace="http://www.example.org/contract/DoubleIt"/> + + <wsdl:binding name="DoubleItKeyIdentifierBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItKeyIdentifierPolicy" /> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http" /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + + <wsdl:binding name="DoubleItNoSecurityBinding" type="tns:DoubleItPortType"> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http" /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + + <wsdl:service name="DoubleItService"> + <wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding"> + <soap:address location="http://localhost:9001/DoubleItX509KeyIdentifier" /> + </wsdl:port> + <wsdl:port name="DoubleItSignBodyPort" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignBody" /> + </wsdl:port> + </wsdl:service> + + <wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + <sp:RequireKeyIdentifierReference /> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic256/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + +</wsdl:definitions>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/server/server.xml+89 −0 added@@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:jaxws="http://cxf.apache.org/jaxws" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" + xmlns:sec="http://cxf.apache.org/configuration/security" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:p="http://cxf.apache.org/policy" + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd + "> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <jaxws:endpoint + id="KeyIdentifier" + address="http://localhost:${testutil.ports.Server}/DoubleItX509KeyIdentifier" + serviceName="s:DoubleItService" + endpointName="s:DoubleItKeyIdentifierPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl"> + + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + </jaxws:properties> + + </jaxws:endpoint> + + <jaxws:endpoint + id="SignBody" + address="http://localhost:${testutil.ports.Server}/DoubleItSignBody" + serviceName="s:DoubleItService" + endpointName="s:DoubleItSignBodyPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl"> + + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature Timestamp"/> + <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="passwordCallbackClass" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + <!--<bean class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker"/>--> + </jaxws:inInterceptors> + </jaxws:endpoint> + + +</beans>
1a6b532d53a7Added some tests for CXF-4629
7 files changed · +551 −3
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java+7 −3 modified@@ -179,15 +179,19 @@ public Object getProperty(Object msgContext, String key) { } public final boolean isGET(SoapMessage message) { String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD); - return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null; + boolean isGet = + "GET".equals(method) && message.getContent(XMLStreamReader.class) == null; + if (isGet) { + //make sure we skip the URIMapping as we cannot apply security requirements to that + message.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); + } + return isGet; } public void handleMessage(SoapMessage msg) throws Fault { if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) { return; } - //make sure we skip the URIMapping as we cannot apply security requirements to that - msg.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); msg.put(SECURITY_PROCESSED, Boolean.TRUE); boolean utWithCallbacks =
systests/ws-security/pom.xml+5 −0 modified@@ -124,6 +124,11 @@ <artifactId>cxf-rt-frontend-jaxws</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.cxf</groupId> + <artifactId>cxf-rt-frontend-jaxrs</artifactId> + <version>${project.version}</version> + </dependency> <dependency> <groupId>org.apache.cxf</groupId>
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/httpget/HTTPGetTest.java+216 −0 added@@ -0,0 +1,216 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.httpget; + +import java.net.URL; +import java.util.HashMap; +import java.util.Map; + +import javax.crypto.Cipher; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import javax.xml.namespace.QName; +import javax.xml.ws.Service; + +import org.apache.cxf.Bus; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.jaxrs.client.WebClient; +import org.apache.cxf.jaxrs.ext.xml.XMLSource; +import org.apache.cxf.systest.ws.common.SecurityTestUtil; +import org.apache.cxf.systest.ws.httpget.server.Server; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor; +import org.example.contract.doubleit.DoubleItPortType; +import org.junit.BeforeClass; + +/** + * A set of tests for CXF-4629. + */ +public class HTTPGetTest extends AbstractBusClientServerTestBase { + public static final String PORT = allocatePort(Server.class); + + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt"; + private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); + + private boolean unrestrictedPoliciesInstalled = checkUnrestrictedPoliciesInstalled(); + + @BeforeClass + public static void startServers() throws Exception { + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(Server.class, true) + ); + } + + @org.junit.AfterClass + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + stopAllServers(); + } + + @org.junit.Test + public void testSOAPClientSecurityPolicy() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = HTTPGetTest.class.getResource("DoubleItHTTPGet.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItKeyIdentifierPort"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, PORT); + int result = x509Port.doubleIt(25); + assertEquals(result, 50); + + bus.shutdown(true); + } + + @org.junit.Test + public void testHTTPGetClientSecurityPolicy() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "http://localhost:" + PORT + "/DoubleItX509KeyIdentifier/DoubleIt"; + WebClient client = WebClient.create(address); + client.query("numberToDouble", "20"); + + try { + client.get(XMLSource.class); + fail("Failure expected on security policy failure"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + @org.junit.Test + public void testSignedBodyTimestamp() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = HTTPGetTest.class.getResource("DoubleItHTTPGet.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSignBodyPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" + + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-" + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + int result = port.doubleIt(25); + assertEquals(result, 50); + + bus.shutdown(true); + } + + @org.junit.Test + public void testHTTPGetSignedBody() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = HTTPGetTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "http://localhost:" + PORT + "/DoubleItSignBody/DoubleIt"; + WebClient client = WebClient.create(address); + client.query("numberToDouble", "20"); + /* + XMLSource result = client.get(XMLSource.class); + result.setBuffering(true); + + String input = result.getNode("//doubledNumber", String.class); + assertTrue(input.startsWith("<doubledNumber>40")); + */ + + try { + client.get(XMLSource.class); + fail("Failure expected on security policy failure"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + + private boolean checkUnrestrictedPoliciesInstalled() { + try { + byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}; + + SecretKey key192 = new SecretKeySpec( + new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}, + "AES"); + Cipher c = Cipher.getInstance("AES"); + c.init(Cipher.ENCRYPT_MODE, key192); + c.doFinal(data); + return true; + } catch (Exception e) { + // + } + return false; + } + +}
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/httpget/server/Server.java+41 −0 added@@ -0,0 +1,41 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.httpget.server; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class Server extends AbstractBusTestServerBase { + + public Server() { + + } + + protected void run() { + URL busFile = Server.class.getResource("server.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + } +}
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/client/client.xml+55 −0 added@@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:jaxws="http://cxf.apache.org/jaxws" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:p="http://cxf.apache.org/policy" + xmlns:sec="http://cxf.apache.org/configuration/security" + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd" +> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItKeyIdentifierPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + <entry key="ws-security.encryption.username" value="bob"/> + </jaxws:properties> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignBodyPort" + createdFromAPI="true"> + </jaxws:client> + +</beans>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl+138 −0 added@@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<wsdl:definitions name="DoubleIt" + xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" + xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt" + targetNamespace="http://www.example.org/contract/DoubleIt" + xmlns:wsp="http://www.w3.org/ns/ws-policy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsaws="http://www.w3.org/2005/08/addressing" + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" + xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"> + + <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" + namespace="http://www.example.org/contract/DoubleIt"/> + + <wsdl:binding name="DoubleItKeyIdentifierBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItKeyIdentifierPolicy" /> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http" /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + + <wsdl:binding name="DoubleItNoSecurityBinding" type="tns:DoubleItPortType"> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http" /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + + <wsdl:service name="DoubleItService"> + <wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding"> + <soap:address location="http://localhost:9001/DoubleItX509KeyIdentifier" /> + </wsdl:port> + <wsdl:port name="DoubleItSignBodyPort" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignBody" /> + </wsdl:port> + </wsdl:service> + + <wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + <sp:RequireKeyIdentifierReference /> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic256/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + +</wsdl:definitions>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/httpget/server/server.xml+89 −0 added@@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:jaxws="http://cxf.apache.org/jaxws" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" + xmlns:sec="http://cxf.apache.org/configuration/security" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:p="http://cxf.apache.org/policy" + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd + "> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <jaxws:endpoint + id="KeyIdentifier" + address="http://localhost:${testutil.ports.Server}/DoubleItX509KeyIdentifier" + serviceName="s:DoubleItService" + endpointName="s:DoubleItKeyIdentifierPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl"> + + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + </jaxws:properties> + + </jaxws:endpoint> + + <jaxws:endpoint + id="SignBody" + address="http://localhost:${testutil.ports.Server}/DoubleItSignBody" + serviceName="s:DoubleItService" + endpointName="s:DoubleItSignBodyPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/httpget/DoubleItHTTPGet.wsdl"> + + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature Timestamp"/> + <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="passwordCallbackClass" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + <!--<bean class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker"/>--> + </jaxws:inInterceptors> + </jaxws:endpoint> + + +</beans>
e733c692e933Merged revisions 1409910 via git cherry-pick from
2 files changed · +8 −0
rt/core/src/main/java/org/apache/cxf/interceptor/URIMappingInterceptor.java+5 −0 modified@@ -46,6 +46,7 @@ import org.apache.cxf.message.Exchange; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageContentsList; +import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.Phase; import org.apache.cxf.service.Service; import org.apache.cxf.service.model.BindingInfo; @@ -55,6 +56,7 @@ import org.apache.cxf.service.model.ServiceModelUtil; public class URIMappingInterceptor extends AbstractInDatabindingInterceptor { + public static final String URIMAPPING_SKIP = URIMappingInterceptor.class.getName() + ".skip"; private static final Logger LOG = LogUtils.getL7dLogger(URIMappingInterceptor.class); @@ -73,6 +75,9 @@ public void handleMessage(Message message) throws Fault { } return; } + if (MessageUtils.getContextualBoolean(message, URIMAPPING_SKIP, false)) { + return; + } String opName = getOperationName(message); if (LOG.isLoggable(Level.FINE)) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java+3 −0 modified@@ -59,6 +59,7 @@ import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.Phase; import org.apache.cxf.phase.PhaseInterceptor; @@ -196,6 +197,8 @@ public void handleMessage(SoapMessage msg) throws Fault { if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) { return; } + //make sure we skip the URIMapping as we cannot apply security requirements to that + msg.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); msg.put(SECURITY_PROCESSED, Boolean.TRUE); boolean utWithCallbacks =
d99f96aa970dMerged revisions 1409324 via git cherry-pick from
2 files changed · +8 −0
api/src/main/java/org/apache/cxf/interceptor/URIMappingInterceptor.java+5 −0 modified@@ -45,6 +45,7 @@ import org.apache.cxf.message.Exchange; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageContentsList; +import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.Phase; import org.apache.cxf.service.Service; import org.apache.cxf.service.invoker.MethodDispatcher; @@ -55,6 +56,7 @@ import org.apache.cxf.service.model.ServiceModelUtil; public class URIMappingInterceptor extends AbstractInDatabindingInterceptor { + public static final String URIMAPPING_SKIP = URIMappingInterceptor.class.getName() + ".skip"; private static final Logger LOG = LogUtils.getL7dLogger(URIMappingInterceptor.class); @@ -73,6 +75,9 @@ public void handleMessage(Message message) throws Fault { } return; } + if (MessageUtils.getContextualBoolean(message, URIMAPPING_SKIP, false)) { + return; + } String opName = getOperationName(message); if (LOG.isLoggable(Level.FINE)) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java+3 −0 modified@@ -59,6 +59,7 @@ import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.Phase; import org.apache.cxf.phase.PhaseInterceptor; @@ -192,6 +193,8 @@ public void handleMessage(SoapMessage msg) throws Fault { if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) { return; } + //make sure we skip the URIMapping as we cannot apply security requirements to that + msg.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); msg.put(SECURITY_PROCESSED, Boolean.TRUE); boolean utWithCallbacks =
94a98b3fe9c7[CXF-4629] Part 2 - remove the URIMappingInterceptor from the default chains
14 files changed · +74 −75
api/src/main/java/org/apache/cxf/interceptor/URIMappingInterceptor.java+1 −0 modified@@ -60,6 +60,7 @@ public class URIMappingInterceptor extends AbstractInDatabindingInterceptor { private static final Logger LOG = LogUtils.getL7dLogger(URIMappingInterceptor.class); + @Deprecated public URIMappingInterceptor() { super(Phase.UNMARSHAL); }
rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SoapBindingFactory.java+0 −6 modified@@ -88,7 +88,6 @@ import org.apache.cxf.interceptor.InterceptorProvider; import org.apache.cxf.interceptor.StaxInInterceptor; import org.apache.cxf.interceptor.StaxOutInterceptor; -import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.interceptor.WrappedOutInterceptor; import org.apache.cxf.message.Message; import org.apache.cxf.phase.Phase; @@ -435,11 +434,6 @@ public Binding createBinding(BindingInfo binding) { sb.getOutFaultInterceptors().add(new SoapOutInterceptor(getBus())); sb.getOutFaultInterceptors().add(SoapHeaderOutFilterInterceptor.INSTANCE); - // REVISIT: The phase interceptor chain seems to freak out if this added - // first. Not sure what the deal is at the moment, I suspect the - // ordering algorithm needs to be improved - sb.getInInterceptors().add(new URIMappingInterceptor()); - if (version.getVersion() == 1.1) { sb.getInFaultInterceptors().add(new Soap11FaultInInterceptor()); sb.getOutFaultInterceptors().add(new Soap11FaultOutInterceptor());
rt/bindings/xml/src/main/java/org/apache/cxf/binding/xml/XMLBindingFactory.java+0 −2 modified@@ -37,7 +37,6 @@ import org.apache.cxf.interceptor.DocLiteralInInterceptor; import org.apache.cxf.interceptor.StaxInInterceptor; import org.apache.cxf.interceptor.StaxOutInterceptor; -import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.interceptor.WrappedOutInterceptor; import org.apache.cxf.service.model.BindingInfo; import org.apache.cxf.service.model.BindingOperationInfo; @@ -65,7 +64,6 @@ public Binding createBinding(BindingInfo binding) { xb.getInInterceptors().add(new AttachmentInInterceptor()); xb.getInInterceptors().add(new StaxInInterceptor()); - xb.getInInterceptors().add(new URIMappingInterceptor()); xb.getInInterceptors().add(new DocLiteralInInterceptor()); xb.getInInterceptors().add(new XMLMessageInInterceptor());
rt/databinding/aegis/src/test/java/org/apache/cxf/aegis/jaxws/AegisJaxwsGetTest.java+4 −0 modified@@ -34,6 +34,7 @@ import org.apache.cxf.endpoint.Server; import org.apache.cxf.frontend.ServerFactoryBean; import org.apache.cxf.interceptor.AbstractInDatabindingInterceptor; +import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.jaxws.JaxWsServerFactoryBean; import org.apache.cxf.staxutils.StaxUtils; import org.apache.cxf.test.AbstractCXFTest; @@ -50,12 +51,14 @@ public class AegisJaxwsGetTest extends AbstractCXFTest { public static final String PORT = TestUtil.getPortNumber(AegisJaxwsGetTest.class); + @SuppressWarnings("deprecation") @Before public void before() throws Exception { JaxWsServerFactoryBean sf = new JaxWsServerFactoryBean(); sf.setAddress("http://localhost:" + PORT + "/Echo"); sf.setDataBinding(new AegisDatabinding()); sf.setServiceBean(new Echo()); + sf.getInInterceptors().add(new URIMappingInterceptor()); Server server = sf.create(); // turn off nanny in URIMappingInterceptor server.getEndpoint() @@ -65,6 +68,7 @@ public void before() throws Exception { sf2.setAddress("http://localhost:" + PORT + "/SimpleEcho"); sf2.setDataBinding(new AegisDatabinding()); sf2.setServiceBean(new Echo()); + sf2.getInInterceptors().add(new URIMappingInterceptor()); server = sf2.create(); // turn off nanny in URIMappingInterceptor server.getEndpoint()
rt/frontend/jaxws/src/test/java/org/apache/cxf/jaxws/URIMappingInterceptorDocLitTest.java+1 −0 modified@@ -45,6 +45,7 @@ import org.junit.Before; import org.junit.Test; +@SuppressWarnings("deprecation") public class URIMappingInterceptorDocLitTest extends AbstractCXFTest { Message message;
rt/frontend/jaxws/src/test/java/org/apache/cxf/jaxws/URIMappingInterceptorRPCTest.java+1 −0 modified@@ -45,6 +45,7 @@ import org.junit.Before; import org.junit.Test; +@SuppressWarnings("deprecation") public class URIMappingInterceptorRPCTest extends AbstractCXFTest { Message message;
systests/jaxws/src/test/java/org/apache/cxf/systest/jaxws/httpget/JavaFirstHttpGetTest.java+3 −0 modified@@ -26,6 +26,7 @@ import org.apache.cxf.helpers.IOUtils; import org.apache.cxf.interceptor.LoggingInInterceptor; import org.apache.cxf.interceptor.LoggingOutInterceptor; +import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.jaxws.JaxWsServerFactoryBean; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; import org.apache.cxf.testutil.common.AbstractBusTestServerBase; @@ -41,10 +42,12 @@ public class JavaFirstHttpGetTest extends AbstractBusClientServerTestBase { + PORT + "/JavaFirstHttpGetTest"; public static class Server extends AbstractBusTestServerBase { + @SuppressWarnings("deprecation") protected void run() { MyImplementation implementor = new MyImplementation(); JaxWsServerFactoryBean svrFactory = new JaxWsServerFactoryBean(); svrFactory.setServiceClass(MyInterface.class); + svrFactory.getInInterceptors().add(new URIMappingInterceptor()); svrFactory.setAddress(BASE_URL); svrFactory.setServiceBean(implementor); svrFactory.getInInterceptors().add(new LoggingInInterceptor());
systests/jaxws/src/test/java/org/apache/cxf/systest/jaxws/ServerGreeterNoWsdl.java+4 −0 modified@@ -26,11 +26,14 @@ import org.apache.cxf.frontend.WSDLGetUtils; import org.apache.cxf.greeter_control.GreeterImplNoWsdl; +import org.apache.cxf.interceptor.URIMappingInterceptor; +import org.apache.cxf.jaxws.EndpointImpl; import org.apache.cxf.testutil.common.AbstractBusTestServerBase; public class ServerGreeterNoWsdl extends AbstractBusTestServerBase { static final String PORT = allocatePort(ServerGreeterNoWsdl.class); + @SuppressWarnings("deprecation") protected void run() { Object implementor = new GreeterImplNoWsdl(); String address = "http://localhost:" + PORT + "/SoapContext/GreeterPort"; @@ -39,6 +42,7 @@ protected void run() { props.put(WSDLGetUtils.WSDL_CREATE_IMPORTS, Boolean.TRUE); ep.setProperties(props); ep.publish(address); + ((EndpointImpl)ep).getService().getInInterceptors().add(new URIMappingInterceptor()); } public static void main(String[] args) {
systests/jaxws/src/test/java/org/apache/cxf/systest/jaxws/Server.java+23 −7 modified@@ -20,13 +20,16 @@ package org.apache.cxf.systest.jaxws; import java.net.URL; +import java.util.LinkedList; +import java.util.List; import java.util.concurrent.Future; import javax.jws.WebService; import javax.xml.ws.AsyncHandler; import javax.xml.ws.Endpoint; import org.apache.cxf.annotations.UseAsyncMethod; +import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.jaxws.EndpointImpl; import org.apache.cxf.jaxws.ServerAsyncResponse; import org.apache.cxf.testutil.common.AbstractBusTestServerBase; @@ -40,6 +43,9 @@ public class Server extends AbstractBusTestServerBase { static final String BARE_PORT = allocatePort(Server.class, 1); static final String BOGUS_REAL_PORT = allocatePort(Server.class, 2); + List<Endpoint> eps = new LinkedList<Endpoint>(); + + @SuppressWarnings("deprecation") protected void run() { URL url = getClass().getResource("fault-stack-trace.xml"); if (url != null) { @@ -50,23 +56,25 @@ protected void run() { implementor = new AsyncGreeter(); address = "http://localhost:" + PORT + "/SoapContext/AsyncSoapPort"; - Endpoint.publish(address, implementor); + eps.add(Endpoint.publish(address, implementor)); implementor = new GreeterImplMultiPort(); address = "http://localhost:" + PORT + "/MultiPort/GreeterPort"; - Endpoint.publish(address, implementor); + eps.add(Endpoint.publish(address, implementor)); implementor = new DocLitBareGreeterMultiPort(); address = "http://localhost:" + PORT + "/MultiPort/DocBarePort"; - Endpoint.publish(address, implementor); + eps.add(Endpoint.publish(address, implementor)); implementor = new GreeterImpl(); address = "http://localhost:" + PORT + "/SoapContext/SoapPort"; - Endpoint.publish(address, implementor); + Endpoint ep = Endpoint.publish(address, implementor); + ((EndpointImpl)ep).getService().getInInterceptors().add(new URIMappingInterceptor()); + eps.add(ep); implementor = new RefGreeterImpl(); address = "http://localhost:" + PORT + "/SoapContext/SoapPort2"; - Endpoint.publish(address, implementor); + eps.add(Endpoint.publish(address, implementor)); //publish port with soap12 binding address = "http://localhost:" + PORT + "/SoapContext/SoapPort"; @@ -75,17 +83,25 @@ protected void run() { EndpointImpl e = (EndpointImpl) Endpoint.create(javax.xml.ws.soap.SOAPBinding.SOAP12HTTP_BINDING, new Greeter12Impl()); e.publish(address); + eps.add(e); implementor = new DocLitBareGreeterImpl(); address = "http://localhost:" + BARE_PORT + "/SoapContext/SoapPort"; - Endpoint.publish(address, implementor); + eps.add(Endpoint.publish(address, implementor)); implementor = new GreeterImplBogus(); address = "http://localhost:" + BOGUS_REAL_PORT + "/SoapContext/SoapPort"; - Endpoint.publish(address, implementor); + eps.add(Endpoint.publish(address, implementor)); } + public void tearDown() { + while (!eps.isEmpty()) { + Endpoint ep = eps.remove(0); + ep.stop(); + } + } + @WebService(endpointInterface = "org.apache.hello_world_soap_http.Greeter", targetNamespace = "http://apache.org/hello_world_soap_http") public class Greeter12Impl extends BaseGreeterImpl {
systests/jaxws/src/test/java/org/apache/cxf/systest/jaxws/ServerMisc.java+3 −0 modified@@ -23,6 +23,7 @@ import org.apache.cxf.anonymous_complex_type.AnonymousComplexTypeImpl; import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor; +import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.jaxb_element_test.JaxbElementTestImpl; import org.apache.cxf.jaxws.EndpointImpl; import org.apache.cxf.jaxws.JAXWSMethodInvoker; @@ -51,6 +52,7 @@ public class ServerMisc extends AbstractBusTestServerBase { public static final String DOCLIT_CODEFIRST_SETTINGS_URL = "http://localhost:" + PORT + "/DocLitWrappedCodeFirstServiceSettings/"; + @SuppressWarnings("deprecation") protected void run() { Factory factory = new PerRequestFactory(DocLitWrappedCodeFirstServiceImpl.class); @@ -86,6 +88,7 @@ public Long getWrapperPartMinOccurs(MessagePartInfo mpi) { Object implementor7 = new DocLitBareCodeFirstServiceImpl(); EndpointImpl ep = (EndpointImpl)Endpoint.publish(DOCLITBARE_CODEFIRST_URL, implementor7); ep.getServer().getEndpoint().getInInterceptors().add(new SAAJInInterceptor()); + ep.getServer().getEndpoint().getInInterceptors().add(new URIMappingInterceptor()); Object implementor6 = new InterfaceInheritTestImpl();
systests/jaxws/src/test/java/org/apache/cxf/systest/jaxws/ServerXMLBinding.java+22 −5 modified@@ -19,8 +19,13 @@ package org.apache.cxf.systest.jaxws; +import java.util.LinkedList; +import java.util.List; + import javax.xml.ws.Endpoint; +import org.apache.cxf.interceptor.URIMappingInterceptor; +import org.apache.cxf.jaxws.EndpointImpl; import org.apache.cxf.testutil.common.AbstractBusTestServerBase; import org.apache.headers.HeaderTesterImpl; import org.apache.hello_world_xml_http.bare.GreeterImpl; @@ -32,26 +37,38 @@ public class ServerXMLBinding extends AbstractBusTestServerBase { static final String WRAP_PORT = allocatePort(ServerXMLBinding.class, 1); static final String MIX_PORT = allocatePort(ServerXMLBinding.class, 2); + List<Endpoint> eps = new LinkedList<Endpoint>(); + + @SuppressWarnings("deprecation") protected void run() { Object implementor = new GreeterImpl(); String address = "http://localhost:" + REG_PORT + "/XMLService/XMLPort"; - Endpoint.publish(address, implementor); + eps.add(Endpoint.publish(address, implementor)); + + ((EndpointImpl)eps.get(0)).getService().getInInterceptors().add(new URIMappingInterceptor()); Object implementor1 = new org.apache.hello_world_xml_http.wrapped.GreeterImpl(); address = "http://localhost:" + WRAP_PORT + "/XMLService/XMLPort"; - Endpoint.publish(address, implementor1); + eps.add(Endpoint.publish(address, implementor1)); Object faultImplementor = new GreeterFaultImpl(); String faultAddress = "http://localhost:" + REG_PORT + "/XMLService/XMLFaultPort"; - Endpoint.publish(faultAddress, faultImplementor); + eps.add(Endpoint.publish(faultAddress, faultImplementor)); Object implementor2 = new HeaderTesterImpl(); address = "http://localhost:" + REG_PORT + "/XMLContext/XMLPort"; - Endpoint.publish(address, implementor2); + eps.add(Endpoint.publish(address, implementor2)); Object implementor3 = new org.apache.hello_world_xml_http.mixed.GreeterImpl(); address = "http://localhost:" + MIX_PORT + "/XMLService/XMLPort"; - Endpoint.publish(address, implementor3); + eps.add(Endpoint.publish(address, implementor3)); + } + + public void tearDown() { + while (!eps.isEmpty()) { + Endpoint ep = eps.remove(0); + ep.stop(); + } } public static void main(String[] args) {
systests/transports/src/test/java/org/apache/cxf/systest/servlet/SpringAutoPublishServletTest.java+1 −27 modified@@ -71,33 +71,7 @@ public void invokingEndpoint(WebRequest req) throws Exception { assertValid("/s:Envelope/s:Body", doc); assertValid("//h:sayHiResponse", doc); } - - @Test - public void testGreetMeGetRequest() throws Exception { - ServletUnitClient client = newClient(); - client.setExceptionsThrownOnErrorStatus(true); - - WebRequest req = - new GetMethodQueryWebRequest(CONTEXT_URL + "/services/SOAPService/greetMe?" - + "requestType=hello"); - - WebResponse response = client.getResponse(req); - Document doc = DOMUtils.readXml(response.getInputStream()); - addNamespace("h", "http://apache.org/hello_world_soap_http/types"); - assertValid("/s:Envelope/s:Body", doc); - assertValid("//h:greetMeResponse", doc); - - req = - new GetMethodQueryWebRequest(CONTEXT_URL + "/services/DerivedGreeterService/greetMe?" - + "requestType=hello"); - - response = client.getResponse(req); - doc = DOMUtils.readXml(response.getInputStream()); - addNamespace("h", "http://apache.org/hello_world_soap_http/types"); - assertValid("/s:Envelope/s:Body", doc); - assertValid("//h:greetMeResponse", doc); - } - + @Test public void testGetWSDL() throws Exception {
systests/transports/src/test/java/org/apache/cxf/systest/servlet/SpringServletTest.java+1 −27 modified@@ -74,33 +74,7 @@ public void invokingEndpoint(WebRequest req) throws Exception { assertValid("/s:Envelope/s:Body", doc); assertValid("//h:sayHiResponse", doc); } - - @Test - public void testGreetMeGetRequest() throws Exception { - ServletUnitClient client = newClient(); - client.setExceptionsThrownOnErrorStatus(true); - - WebRequest req = - new GetMethodQueryWebRequest(CONTEXT_URL + "/services/Greeter/greetMe?" - + "requestType=hello"); - - WebResponse response = client.getResponse(req); - Document doc = DOMUtils.readXml(response.getInputStream()); - addNamespace("h", "http://apache.org/hello_world_soap_http/types"); - assertValid("/s:Envelope/s:Body", doc); - assertValid("//h:greetMeResponse", doc); - - req = - new GetMethodQueryWebRequest(CONTEXT_URL + "/services/Greeter1/greetMe?" - + "requestType=hello"); - - response = client.getResponse(req); - doc = DOMUtils.readXml(response.getInputStream()); - addNamespace("h", "http://apache.org/hello_world_soap_http/types"); - assertValid("/s:Envelope/s:Body", doc); - assertValid("//h:greetMeResponse", doc); - } - + @Test public void testGetWSDL() throws Exception {
systests/uncategorized/src/test/java/org/apache/cxf/systest/soap12/Server.java+10 −1 modified@@ -21,18 +21,27 @@ import javax.xml.ws.Endpoint; +import org.apache.cxf.interceptor.URIMappingInterceptor; +import org.apache.cxf.jaxws.EndpointImpl; import org.apache.cxf.testutil.common.AbstractBusTestServerBase; public class Server extends AbstractBusTestServerBase { public static final String PORT = allocatePort(Server.class); + Endpoint ep; + @SuppressWarnings("deprecation") protected void run() { Object implementor = new GreeterImpl(); String address = "http://localhost:" + PORT + "/SoapContext/SoapPort"; - Endpoint.publish(address, implementor); + ep = Endpoint.publish(address, implementor); + EndpointImpl epi = (EndpointImpl)ep; + epi.getService().getInInterceptors().add(new URIMappingInterceptor()); } + public void tearDown() throws Exception { + ep.stop(); + } public static void main(String[] args) { try {
db11c9115f31[CXF-4629] Skip the URIMappingInterceptor if ws-security is being used.
2 files changed · +8 −0
api/src/main/java/org/apache/cxf/interceptor/URIMappingInterceptor.java+5 −0 modified@@ -45,6 +45,7 @@ import org.apache.cxf.message.Exchange; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageContentsList; +import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.Phase; import org.apache.cxf.service.Service; import org.apache.cxf.service.invoker.MethodDispatcher; @@ -55,6 +56,7 @@ import org.apache.cxf.service.model.ServiceModelUtil; public class URIMappingInterceptor extends AbstractInDatabindingInterceptor { + public static final String URIMAPPING_SKIP = URIMappingInterceptor.class.getName() + ".skip"; private static final Logger LOG = LogUtils.getL7dLogger(URIMappingInterceptor.class); @@ -73,6 +75,9 @@ public void handleMessage(Message message) throws Fault { } return; } + if (MessageUtils.getContextualBoolean(message, URIMAPPING_SKIP, false)) { + return; + } String opName = getOperationName(message); if (LOG.isLoggable(Level.FINE)) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java+3 −0 modified@@ -56,6 +56,7 @@ import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.interceptor.URIMappingInterceptor; import org.apache.cxf.interceptor.security.SAMLSecurityContext; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.Phase; @@ -189,6 +190,8 @@ public void handleMessage(SoapMessage msg) throws Fault { if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) { return; } + //make sure we skip the URIMapping as we cannot apply security requirements to that + msg.put(URIMappingInterceptor.URIMAPPING_SKIP, Boolean.TRUE); msg.put(SECURITY_PROCESSED, Boolean.TRUE); boolean utWithCallbacks =
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
42- cxf.apache.org/cve-2012-5633.htmlnvdVendor AdvisoryWEB
- secunia.com/advisories/51988nvdVendor Advisory
- secunia.com/advisories/52183nvdVendor Advisory
- github.com/advisories/GHSA-xf9f-32gh-h2w4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-5633ghsaADVISORY
- packetstormsecurity.com/files/120213/Apache-CXF-WS-Security-URIMappingInterceptor-Bypass.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0256.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0257.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0258.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0259.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0726.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0743.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0749.htmlnvdWEB
- seclists.org/fulldisclosure/2013/Feb/39nvdWEB
- stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requestsnvdWEB
- svn.apache.org/viewvcnvdWEB
- svn.apache.org/viewvcnvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/81980nvdWEB
- github.com/apache/cxf/commit/0cbc56618b6048847debe670d54919e227744401ghsaWEB
- github.com/apache/cxf/commit/1a6b532d53a7b98018871982049e4b0c80dc837cghsaWEB
- github.com/apache/cxf/commit/94a98b3fe9c79e2cf3941acbbad216ba54999bc0ghsaWEB
- github.com/apache/cxf/commit/d99f96aa970d9f2faa8ed45e278a403af48757aeghsaWEB
- github.com/apache/cxf/commit/db11c9115f31e171de4622149f157d8283f6c720ghsaWEB
- github.com/apache/cxf/commit/e0cdf873942b4d3fbc253e8ce6bb6fce3898019dghsaWEB
- github.com/apache/cxf/commit/e733c692e933a7f82424d3744aace9304cd5d4f6ghsaWEB
- issues.apache.org/jira/browse/CXF-4629nvdWEB
- issues.jboss.org/browse/JBWS-3575nvdWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
- web.archive.org/web/20130216044418/http://www.securityfocus.com:80/bid/57874ghsaWEB
- osvdb.org/90079nvd
- www.securityfocus.com/bid/57874nvd
News mentions
0No linked articles in our index yet.