Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wss4jSecurityInterceptor (wss4j2) validates despite NoSecurity setting [SWS-962] #1033

Open
gregturn opened this issue Jul 1, 2016 · 1 comment

Comments

@gregturn
Copy link
Member

@gregturn gregturn commented Jul 1, 2016

Kevin Strobel opened SWS-962 and commented

When using the class org.springframework.ws.soap.security.*wss4j2*.Wss4jSecurityInterceptor with the property validationActions set to NoSecurity, Spring-WS-Security still tries to validate the message.

In the method setValidationActions, Apache's WSSecurityUtil decodes the splitted string into Integers representing the actions.

WSSecurityUtil just returns the internal List if the NoSecurity action is found. The dedicated Integer 0 for NoSecurity is not returned.

However Wss4jSecurityInterceptor#validateMessage (line 646) decides to bypass validation if the Integer 0 exists in the actions list.

Assuming that in the case of a NoSecurity validation action, no other validation action makes sense and therefore none else is specified, a fix would be to simply check whether the list is empty (NoSecurity applies).

// replace line 646 with the following instruction
if (validationActionsVector.isEmpty()) {

Affects: 2.3.0

1 votes, 2 watchers

@gregturn
Copy link
Member Author

@gregturn gregturn commented Jul 1, 2016

Kevin Strobel commented

Duplicate of #1032 Aspect b).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.