[esb-issues] [JBoss JIRA] (JBESB-3906) Backport JBESB-3898 to JBESB_4_11_CP2 branch

RH Bugzilla Integration (JIRA) jira-events at lists.jboss.org
Thu Apr 4 03:33:43 EDT 2013 

    [ https://issues.jboss.org/browse/JBESB-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12764848#comment-12764848 ] 

RH Bugzilla Integration commented on JBESB-3906:
------------------------------------------------

Tadayoshi Sato <tasato at redhat.com> made a comment on [bug 947862|https://bugzilla.redhat.com/show_bug.cgi?id=947862]

Hi Rick,

No, this regression is by no means caused by BZ902156. The error [1] reproduced by comment 13 of BZ915386 indicates it stems from the invoked web service not SOAPClient. And I confirmed in my environment that if all BZ915386 patches but CXF upgrade is applied  the error doesn't happen. I believe the root cause should be found in the following BZs:
- [BZ-858926] [CVE-2012-3451] jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services
- [BZ-896338] [CVE-2012-5633] jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints

I also doubt that this is a regression of JBoss ESB or SOA-P as no behaviours in JBoss ESB seem to change; what's changed is JBoss WS. So, should we close this BZ and chase it as a JBoss WS regression instead?

Thank you!

[1]
15:33:39,174 WARNING [PhaseInterceptorChain] Interceptor for {http://webservice_consumer1/helloworld}HelloWorldWSService#{http://webservice_consumer1/helloworld}sayHello has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: The given SOAPAction sayHello does not match an operation.
	at org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor$SoapActionInAttemptTwoInterceptor.handleMessage(SoapActionInInterceptor.java:192)
	at org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor$SoapActionInAttemptTwoInterceptor.handleMessage(SoapActionInInterceptor.java:164)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:111)
	at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:99)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:431)
	at org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerExt.java:173)
	at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:61)
	at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:185)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.internalProcess(ActiveRequestResponseCacheValve.java:74)
	at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:47)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
	at java.lang.Thread.run(Thread.java:722)
                
> Backport JBESB-3898 to JBESB_4_11_CP2 branch
> --------------------------------------------
>
>                 Key: JBESB-3906
>                 URL: https://issues.jboss.org/browse/JBESB-3906
>             Project: JBoss ESB
>          Issue Type: Task
>      Security Level: Public(Everyone can see) 
>          Components: Web Services
>    Affects Versions: 4.11
>            Reporter: Tadayoshi Sato
>            Assignee: Tadayoshi Sato
>             Fix For: 4.11 CP3
>
>
> Backport JBESB-3898 (EBWS on CXF fails to handle WS-Security header with soap:mustUnderstand="1") to JBESB_4_11_CP2 branch.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the esb-issues mailing list