3 Replies Latest reply on Feb 19, 2014 10:27 AM by rameshkhot08

SOAP Message validation now enabled by default?

paul.robinson Sep 28, 2012 6:03 AM

Hello,

Since AS7 upgraded from CXF '2.4.8-patch-01' to '2.4.9' (https://github.com/jbossas/jboss-as/commit/0a1e626a5c4bf52a8c75e0cd27f15c4c08dfc24d) we have been getting the following 'unexpected element' error:

18:34:17,669 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-/127.0.0.1:8080-3) Interceptor for {http://schemas.arjuna.com/ws/2005/10/wsarjtx}TerminationParticipantSer
vice#{http://schemas.arjuna.com/ws/2005/10/wsarjtx}FaultOperation has thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: Unexpected element {http://schemas.xmlsoa
p.org/soap/envelope/}Fault found.   Expected {http://schemas.arjuna.com/ws/2005/10/wsarjtx}Fault.
        at org.apache.cxf.interceptor.DocLiteralInInterceptor.validatePart(DocLiteralInInterceptor.java:259) [cxf-rt-core-2.4.9.jar:2.4.9]
        at org.apache.cxf.interceptor.DocLiteralInInterceptor.handleMessage(DocLiteralInInterceptor.java:201) [cxf-rt-core-2.4.9.jar:2.4.9]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) [cxf-api-2.4.9.jar:2.4.9]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-rt-core-2.4.9.jar:2.4.9]
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207) [cxf-rt-transports-http-2.4.9.jar:2.4.9]
        at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)
        at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)
        at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185) [cxf-rt-transports-http-2.4.9.jar:2.4.9]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108) [cxf-rt-transports-http-2.4.9.jar:2.4.9]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.1.Final.jar:1.0.1.Final]
        at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
        at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.1.Final.jar:1.0.1.Final]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931)
        at java.lang.Thread.run(Thread.java:680) [classes.jar:1.6.0_35]

This error occurs because our message type doesn't match that required by the WSDL:

 <soap:Body>
      <ns2:Fault xmlns:ns2="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns3="http://schemas.arjuna.com/ws/2005/10/wsarjtx">
         <faultcode>ns3:TransactionRolledBack</faultcode>
         <faultstring>ARJUNA043178: Transaction rolled back</faultstring>
      </ns2:Fault>
 </soap:Body>

Notice that the message is of type "ns2:Fault", rather than "ns3:Fault". The wsdl wants a '{http://schemas.arjuna.com/ws/2005/10/wsarjtx}Fault'.

So we have two problems here. The first is the problem that we have been sending malformed messages for some time. The second is that since the upgrade to CXF 2.4.9, this issue was not tolerated. In the long term we need to fix the message, but that may not be possible in the short term as we may not be able to get this fix into the release that needs it.

Do you know what has changed in CXF to cause this issue and do you know of a work-around?

For the original issue see here: https://issues.jboss.org/browse/JBTM-1275

Thanks,

Paul.

1. Re: SOAP Message validation now enabled by default?

asoldano Oct 1, 2012 4:41 AM (in response to paul.robinson)

Apache CXF 2.4.9 is more strict in terms of message validations for security reasons. This is also required to deal with the vulnerability mentioned at http://cxf.apache.org/cve-2012-3451.html .
Unfortunately, the only real solution here is fixing the wrong message. As a workaround, though, you might want to try setting the Apache CXF soap.no.validate.parts property to true in the message context. Unfortunately, on server side that's not easily done in an effective way withouth introducing a dependency to apache cxf api; you should try adding @org.apache.cxf.annotations.EndpointProperty(key = "soap.no.validate.parts", value = "true") to your endpoint impl class.
Actions
2. Re: SOAP Message validation now enabled by default?

paul.robinson Oct 1, 2012 7:35 AM (in response to asoldano)

Thanks Alessio,

That did the trick.

Paul.
Actions
3. Re: SOAP Message validation now enabled by default?

rameshkhot08 Feb 19, 2014 10:27 AM (in response to asoldano)

I am facing same problem. I added @org.apache.cxf.annotations.EndpointProperty(key = "soap.no.validate.parts", value = "true")
in my implementation class but jboss is not stooped validation.
Is anything specific need to do to make it work?
Actions

Go to original post