Spring-WS 2.3.0 Security Header Validation with WSS4J 2.1.4 - NoSecurity won't work

Question

I'm using Spring-WS for Client an try to update to the newest version. Allthough configured not to validate incoming security header the new Wss4jSecurityInterceptor throws Wss4jSecurityValidationException("No WS-Security header found").

<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor">
  <property name="securementActions" value="UsernameToken"/>
  <property name="validationActions" value="NoSecurity"/>
  <property name="securementPasswordType" value="PasswordText"/>
  <property name="securementUsernameTokenElements" value="Nonce"/>
</bean>

In my opinion it's because Spring-WS 2.3.0 and WSS4J 2.1.4 are incompatible at this point.

Wss4jSecurityInterceptor fills the field validationActionsVector as follows:

public void setValidationActions(String actions) {
  this.validationActions = actions;
  try {
    validationActionsVector = WSSecurityUtil.decodeAction(actions);
  }
  catch (WSSecurityException ex) {
    throw new IllegalArgumentException(ex);
  }
}

where WSS4J in case of NoSecurity returns in WSSecurityUtil an empty List:

public static List<Integer> decodeAction(String action) throws WSSecurityException {
    String actionToParse = action;
    if (actionToParse == null) {
        return Collections.emptyList();
    }
    actionToParse = actionToParse.trim();
    if ("".equals(actionToParse)) {
        return Collections.emptyList();
    }

    List<Integer> actions = new ArrayList<>();
    String single[] = actionToParse.split("\\s");
    for (int i = 0; i < single.length; i++) {
        if (single[i].equals(WSHandlerConstants.NO_SECURITY)) {
            return actions;
        } else if ...

But Wss4jSecurityInterceptor checks for an NoSecurity-Item in the list:

@Override
protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext)
        throws WsSecurityValidationException {
    if (logger.isDebugEnabled()) {
        logger.debug("Validating message [" + soapMessage + "] with actions [" + validationActions + "]");
    }

    if (validationActionsVector.contains(WSConstants.NO_SECURITY)) {
        return;
    } ...

Is this a known issue? Does a workaround exist? Or do I have to override the method in WSS4J to fill the list with the expected item?

Replace `wss4j2` classes for `wss4j` ones: they are deprecated but actually works — EliuX, Jan 02 '17 at 19:27

score 2 · Answer 1 · answered Jan 16 '17 at 08:38

I had the same problem - no way to avoid validation - but I solved it by:

setting validateRequest and validateResponse to false in the interceptor.

No need to hack any code or extend any class. You can check the related issue at https://jira.spring.io/browse/SWS-961.

springbee · Answer 2 · 2016-06-19T00:53:49.227

0

I agree, this is a problem.

I have the same scenario where I do not need to validate the incoming message.

I have overridden the validateMessage method in my application class which extends Wss4jSecurityInterceptor and this seems to be a cleaner solution.

@Override protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecurityValidationException {
return;
}

edited Jun 19 '16 at 00:53

answered Jun 18 '16 at 22:49

springbee

1
2

This isn't really an answer. – o-90 Jun 18 '16 at 23:30
1

@GoBrewers14 - Do you have a better approach to solve this? – springbee Jun 19 '16 at 00:53

score 0 · Answer 3 · answered Jun 20 '16 at 07:43

I found a workaraound that works for me. Of course it would be better to be fixed in the next Spring-WS Version.

public class MyWss4jSecurityInterceptor extends Wss4jSecurityInterceptor {

  private String validationActions;

  /**
   * Overrides the method in order to avoid a security check if the 
   * ValidationAction 'NoSecurity'is selected.
   *
   * @param messageContext
   */
  @Override
  protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext)
        throws WsSecurityValidationException {
    if (!WSHandlerConstants.NO_SECURITY.equals(validationActions)) {
        super.validateMessage(soapMessage, messageContext);
    }
  }

  /**
   * @return the validationActions
   */
  public String getValidationActions() {
    return validationActions;
  }

  /**
   * @param validationActions the validationActions to set
   */
  @Override
  public void setValidationActions(String validationActions) {
    this.validationActions = validationActions;
    super.setValidationActions(validationActions);
  }
}

score 0 · Answer 4 · answered Jun 27 '17 at 12:47

0

can use "org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor" its deprecated though.

It worked for me instead of creating new Extension to class, anyway i am not using it for any validation.

answered Jun 27 '17 at 12:47

Arun Pratap Singh

3,428
30
23

Spring-WS 2.3.0 Security Header Validation with WSS4J 2.1.4 - NoSecurity won't work

4 Answers4