Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[metro-dev] Issue in metro webservices-rt - Nullpointer in failing WS security header check
  • From: "Mikko Nurmi (Nokia)" <mikko.nurmi@xxxxxxxxx>
  • Date: Fri, 2 Feb 2024 10:45:18 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X2l8r+0XtYO+qnjMezdTcB1h44Gf/dR3AMhSXFFezdA=; b=Jdlq1BLXbSvm9Lpy7pXcLmp5b8U/um2Cxt35e4HhuwjxcJOvQ4N4Lbt24fiLubGMC9EZNBZjnla0eEFN452IgWMFEAS/PAHt5mU8UR/VXngpvNlX3BtxL/jiyn9LBrp6gDeC0xOiiqdxAcsAmLznJbtZq4ol/GlkyT2wyZJbjVH7pL1mdG/4yCQHG/FaiatclesBPDA9JRf1f2OeqVhXMWTuDcF128XDN4DXosVkF92dKQ4dUYc8GvYO+W7trVa4eUcqOKLj5ZOwCJrXjIwgE8e9/1KIZTaXMcyOykAGtneVfWH9MiU441xSG43fTGg0Wt/bHOmOMPI8199hW5yMoQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gUPOH8tMHMaqWC5EZXZdErl3Yqi4CG03q/EcmmiZtUn5RY3qoJELiO7rcpnuwlC10fL2c8PNOZjurE7soUTkT2yvl28KFoZqGdxr0WvMjXLTJY3t2yeNuNF7yuw7g7ZF3WTeVlbLfGqvQcxpXngQVTn36e+d8fQbiKtLI9Kz64Jzy8Rx+cHPWDzqz9U6kHR9VoifZZt2XPHBOHKfCdSnTWqNV/bg4E4QLNOen5lmgE4ZliMEvEfH606YuEgSpEVgiQpe/0ThFJYexr1Wo+XZnY7qmEMFP0gZM7a3uKlAQt6aTyG/lPmjxO4BpYXJ0obTRi4dyysiSUS8Ei9e6W53WA==
  • Delivered-to: metro-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/metro-dev/>
  • List-help: <mailto:metro-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/metro-dev>, <mailto:metro-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/metro-dev>, <mailto:metro-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AdpVwVPN6gFOsf1+S0KaXMkrO0hNbA==
  • Thread-topic: Issue in metro webservices-rt - Nullpointer in failing WS security header check

Hello!

 

I just recently subscribed to this mailing list, so hoping this is the correct place to post such questions.

 

We have just updated to using Metro webservices 2.4.10. There seems to be an issue when sending WS security header with for example false password. Any other issue with the security header seems to behave in the same way. In the application logs this seems to be correctly handled initially, but on the client side we receive a NullPointerException as a response:

<S:Envelope xmlns:S=
http://www.w3.org/2003/05/soap-envelope>

  <S:Body>

    <S:Fault xmlns:ns4=http://schemas.xmlsoap.org/soap/envelope/>

      <S:Code>

        <S:Value>S:Receiver</S:Value>

      </S:Code>

      <S:Reason>

        <S:Text xml:lang="en">Cannot invoke "com.sun.xml.wss.impl.policy.mls.MessagePolicy.getAlgorithmSuite()" because "policy" is null</S:Text>

      </S:Reason>

    </S:Fault>

  </S:Body>

</S:Envelope>

 

In the application logs this is shown correctly:


SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.com.sun.xml.wss.impl.WssSoapFaultException: Authentication of Username Password Token Failed
        at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:145)
        at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:124)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:358)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:286)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:235)
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:426)
        at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:265) 

 

Cases where security header is valid are working and also this error case used to produce a proper error to the client in the older versions. I have made some analysis myself and this seems to boil down to class ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/jaxws/impl/SecurityServerTube.java where nullity of policy variable is not correctly checked in method initializeOutgoingProcessingContext:

 

            if (policy != null) {

                ctx.setSecurityPolicy(policy);

            }

            if (isTrustMessage(packet)) {

                ctx.isTrustMessage(true);

            }

            // set the policy, issued-token-map, and extraneous properties

            //ctx.setIssuedTokenContextMap(issuedTokenContextMap);

            if (isSCMessage || policy.getAlgorithmSuite() != null) {

                //override the binding level suite

                ctx.setAlgorithmSuite(policy.getAlgorithmSuite());

            } else {

                ctx.setAlgorithmSuite(getAlgoSuite(getBindingAlgorithmSuite(packet)));

            }

 

Is there a change to have this checked and fixed in upcoming versions? I didn’t find any way for reporting this issue.

 

BR,

Mikko Nurmi

 


Back to the top