[esb-issues] [JBoss JIRA] (JBESB-3906) Backport JBESB-3898 to JBESB_4_11_CP2 branch
RH Bugzilla Integration (JIRA)
jira-events at lists.jboss.org
Thu Apr 4 03:33:43 EDT 2013
[ https://issues.jboss.org/browse/JBESB-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12764848#comment-12764848 ]
RH Bugzilla Integration commented on JBESB-3906:
------------------------------------------------
Tadayoshi Sato <tasato at redhat.com> made a comment on [bug 947862|https://bugzilla.redhat.com/show_bug.cgi?id=947862]
Hi Rick,
No, this regression is by no means caused by BZ902156. The error [1] reproduced by comment 13 of BZ915386 indicates it stems from the invoked web service not SOAPClient. And I confirmed in my environment that if all BZ915386 patches but CXF upgrade is applied the error doesn't happen. I believe the root cause should be found in the following BZs:
- [BZ-858926] [CVE-2012-3451] jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services
- [BZ-896338] [CVE-2012-5633] jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints
I also doubt that this is a regression of JBoss ESB or SOA-P as no behaviours in JBoss ESB seem to change; what's changed is JBoss WS. So, should we close this BZ and chase it as a JBoss WS regression instead?
Thank you!
[1]
15:33:39,174 WARNING [PhaseInterceptorChain] Interceptor for {http://webservice_consumer1/helloworld}HelloWorldWSService#{http://webservice_consumer1/helloworld}sayHello has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: The given SOAPAction sayHello does not match an operation.
at org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor$SoapActionInAttemptTwoInterceptor.handleMessage(SoapActionInInterceptor.java:192)
at org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor$SoapActionInAttemptTwoInterceptor.handleMessage(SoapActionInInterceptor.java:164)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:111)
at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:99)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:431)
at org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerExt.java:173)
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:61)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:185)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.internalProcess(ActiveRequestResponseCacheValve.java:74)
at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:47)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
at java.lang.Thread.run(Thread.java:722)
> Backport JBESB-3898 to JBESB_4_11_CP2 branch
> --------------------------------------------
>
> Key: JBESB-3906
> URL: https://issues.jboss.org/browse/JBESB-3906
> Project: JBoss ESB
> Issue Type: Task
> Security Level: Public(Everyone can see)
> Components: Web Services
> Affects Versions: 4.11
> Reporter: Tadayoshi Sato
> Assignee: Tadayoshi Sato
> Fix For: 4.11 CP3
>
>
> Backport JBESB-3898 (EBWS on CXF fails to handle WS-Security header with soap:mustUnderstand="1") to JBESB_4_11_CP2 branch.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the esb-issues
mailing list