search

eclipse-ee4j / metro-saaj

https://eclipse-ee4j.github.io/metro-saaj/
Other
13 stars 16 forks source link

saaj-impl 1.5.3 regression with WS-Security and Apache Santuario #183

Closed sephiroth-j closed 1 year ago

sephiroth-j commented 3 years ago

After updating to jaxws-rt 2.3.4 with saaj-impl 1.5.3 an exception occurs when validating incoming SOAP messages secured with ws-security using wssx-impl 2.4.5.

This as been also reported as SANTUARIO-570 and it might be related to #171.

How to reproduce

Please see the attached sample project. It contains a README how to reproduce the error. metro-jax-ws-issue-226.zip

Exception

com.sun.xml.wss.XWSSecurityException: org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made to reference a node in a context where it does not exist.
        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:128)
        at de.sephiroth_j.demo.echo.WsSecurityHandler.verifyMessage(WsSecurityHandler.java:108)
        at de.sephiroth_j.demo.echo.WsSecurityHandler.handleMessage(WsSecurityHandler.java:67)
        at de.sephiroth_j.demo.echo.WsSecurityHandler.handleMessage(WsSecurityHandler.java:22)
        at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessage(HandlerProcessor.java:259)
        at com.sun.xml.ws.handler.HandlerProcessor.callHandlersRequest(HandlerProcessor.java:110)
        at com.sun.xml.ws.handler.ServerSOAPHandlerTube.callHandlersOnRequest(ServerSOAPHandlerTube.java:108)
        at com.sun.xml.ws.handler.HandlerTube.processRequest(HandlerTube.java:97)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1106)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1020)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:989)
        at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:783)
        at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:390)
        at com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:348)
        at com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:378)
        at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:704)
        at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:182)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:131)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:167)
        at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:831)
Caused by: com.sun.xml.wss.XWSSecurityException: org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made to reference a node in a context where it does not exist.
        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:892)
        at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:608)
        at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:69)
        at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:248)
        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:840)
        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:792)
        at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:231)
        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:126)
        ... 43 common frames omitted
Caused by: org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made to reference a node in a context where it does not exist.
        at java.xml/com.sun.org.apache.xerces.internal.dom.ElementImpl.setIdAttributeNode(ElementImpl.java:931)
        at com.sun.xml.messaging.saaj.soap.impl.ElementImpl.setIdAttributeNode(ElementImpl.java:1695)
        at org.apache.jcp.xml.dsig.internal.dom.DOMKeyInfo.<init>(DOMKeyInfo.java:107)
        at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:152)
        at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:191)
        at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:147)
        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:750)
        ... 50 common frames omitted
sephiroth-j commented 3 years ago

@lukasj, would be great if you could have look at this issue. In June we talked about it in https://github.com/eclipse-ee4j/metro-jax-ws/issues/226

sephiroth-j commented 1 year ago

While testing with the changes of #173 I found the reason for this error and the fix is quite easy.

Similar to removeAttributeNode(Attr) in ElementImpl, setIdAttributeNode(Attr, boolean) must be invoked with the actual delegate attribute instance and not with the instance of com.sun.xml.messaging.saaj.soap.impl.AttrImpl. Because element is of type com.sun.org.apache.xerces.internal.dom.ElementNSImpl and the owner element of the given attribute is of type com.sun.xml.messaging.saaj.soap.impl.ElementImpl calling element.setIdAttributeNode with the SAAJ attribute does not work.

removeAttributeNode https://github.com/eclipse-ee4j/metro-saaj/blob/f4dc3e38e9b426766e17c513c302d9f546d1088d/saaj-ri/src/main/java/com/sun/xml/messaging/saaj/soap/impl/ElementImpl.java#L109-L115

So, this will fix the error. https://github.com/eclipse-ee4j/metro-saaj/blob/f4dc3e38e9b426766e17c513c302d9f546d1088d/saaj-ri/src/main/java/com/sun/xml/messaging/saaj/soap/impl/ElementImpl.java#L1676-L1679

     @Override
     public void setIdAttributeNode(Attr idAttr, boolean isId) throws DOMException {
-        element.setIdAttributeNode(idAttr, isId);
+        if (idAttr instanceof AttrImpl) {
+            element.setIdAttributeNode(((AttrImpl)idAttr).delegate, isId);
+        } else {
+            element.setIdAttributeNode(idAttr, isId);
+        }
     }