spring-projects
Wss4jSecurityInterceptor (wss4j2) validates despite NoSecurity setting [SWS-962]
Kevin Strobel opened SWS-962 and commented
When using the class org.springframework.ws.soap.security.*wss4j2*.Wss4jSecurityInterceptor with the property validationActions set to NoSecurity, Spring-WS-Security still tries to validate the message.
In the method setValidationActions, Apache's WSSecurityUtil decodes the splitted string into Integers representing the actions.
WSSecurityUtil just returns the internal List if the NoSecurity action is found. The dedicated Integer 0 for NoSecurity is not returned.
However Wss4jSecurityInterceptor#validateMessage (line 646) decides to bypass validation if the Integer 0 exists in the actions list.
Assuming that in the case of a NoSecurity validation action, no other validation action makes sense and therefore none else is specified, a fix would be to simply check whether the list is empty (NoSecurity applies).
// replace line 646 with the following instruction
if (validationActionsVector.isEmpty()) {
Affects: 2.3.0
1 votes, 2 watchers
