Hello!
I just recently subscribed to this mailing list, so hoping this is the correct place to post such questions.
We have just updated to using Metro webservices 2.4.10. There seems to be an issue when sending WS security header with for example false password. Any other issue with the security header seems to behave in the same way. In the application logs this seems to be correctly handled initially, but on the client side we receive a NullPointerException as a response:
<S:Envelope xmlns:S=http://www.w3.org/2003/05/soap-envelope>
<S:Body>
<S:Fault xmlns:ns4=http://schemas.xmlsoap.org/soap/envelope/>
<S:Code>
<S:Value>S:Receiver</S:Value>
</S:Code>
<S:Reason>
<S:Text xml:lang="en">Cannot invoke "com.sun.xml.wss.impl.policy.mls.MessagePolicy.getAlgorithmSuite()" because "policy"
is null</S:Text>
</S:Reason>
</S:Fault>
</S:Body>
</S:Envelope>
In the application logs this is shown correctly:
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.com.sun.xml.wss.impl.WssSoapFaultException: Authentication of Username Password Token Failed
at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:145)
at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:124)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:358)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:286)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:235)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:426)
at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:265)
Cases where security header is valid are working and also this error case used to produce a proper error to the client in the older versions. I have made some analysis myself and this seems to boil down to class ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/jaxws/impl/SecurityServerTube.java
where nullity of policy variable is not correctly checked in method initializeOutgoingProcessingContext:
if (policy != null) {
ctx.setSecurityPolicy(policy);
}
if (isTrustMessage(packet)) {
ctx.isTrustMessage(true);
}
// set the policy, issued-token-map, and extraneous properties
//ctx.setIssuedTokenContextMap(issuedTokenContextMap);
if (isSCMessage || policy.getAlgorithmSuite() != null) {
//override the binding level suite
ctx.setAlgorithmSuite(policy.getAlgorithmSuite());
} else {
ctx.setAlgorithmSuite(getAlgoSuite(getBindingAlgorithmSuite(packet)));
}
Is there a change to have this checked and fixed in upcoming versions? I didn’t find any way for reporting this issue.
BR,
Mikko Nurmi