CXF SOAP can't parse request on client side in case of 401 HTTP response code

Question

Colleagues,

I have SOAP web-service based on CXF implementation with enabled SSL & WSS configuration (cofigured using WSP). I have test tool for testing this service also written using CXF.

Positive cases are working. Trying to test negative cases with security errors (wrong certificate / signature).

I have requirement from customer that in case of security errors return fault:401 and HTTP response code 401.

Problem: When I return HTTP code 401 from web-service on receiver side (in test tool) I receive Marshaling errors because of incoming internal InputStream is empty (without content). When I return any other HTTP code (200/403/419/500/503) - there isn't any problem on receiver side! And I'm able to see SOAP fault with message generated in web-service side.

Questions:

Maybe there are some specific handling 401 HTTP code in CXF ?
Maybe there are some specific requirements in SOAP in general ?

If returning 401 HTTP code in SOAP it's bad practice could you please provide documents/source code to prove this behavior and help me change customer requirements. I tried to look throw the code and haven't find place where this case handles

P.S: Tried to capture traffic using WireShark and RawCap and tried to decode it without success.

Are you confident that CXF is handling the authentication that leads to the 401? It may not be seeing the request if the authentication is being failed by the containing application server. To customize the 401 error as a SOAP response, you may need to first unsecure the web service URL in the web.xml (or equivalent), and then handle the authentication directly yourself (e.g. `HttpServletRequest.login()` ). — df778899, Sep 10 '18 at 18:25

score 0 · Answer 1 · answered Sep 10 '18 at 14:12

0

I think answer in this question will help you question

The question also includes a reference to the soap specification for your customers about fault response codes.

answered Sep 10 '18 at 14:12

c0ld

770
4
15

TacheDeChoco · Answer 2 · 2018-09-11T19:08:05.263

0

Be careful because there are some major differences between SOAP 1.1 and SOAP 1.2 in the allowed HTTP status codes when a SOAP fault is returned.

in SOAP 1.1, the status code must always be 500 “Internal Server Error”.
in SOAP 1.2, it varies based on the type of the SOAP fault

edited Sep 11 '18 at 19:08

answered Sep 11 '18 at 10:33

TacheDeChoco

3,683
1
14
17

Thanks for answer! Do you have some information where I can read about this behavior? – damintsew Sep 11 '18 at 13:32
1

The SOAP 1.2 Fault to HTTP status mapping is available here (see table 20): https://www.w3.org/TR/soap12-part2/#tabresstatereccodes – TacheDeChoco Sep 11 '18 at 19:06
1

And the SOAP 1.1 specs are available here: https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383529 – TacheDeChoco Sep 11 '18 at 19:13

CXF SOAP can't parse request on client side in case of 401 HTTP response code

2 Answers2