Bug 1043920

Summary: Basic security on http binding failing
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Pavel Drozd <pdrozd>
Component: SwitchYardAssignee: kconner
Status: CLOSED WONTFIX QA Contact: Jiri Sedlacek <jsedlace>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: atangrin, dlesage, oskutka, rcernich, soa-p-jira, tcunning
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Secured service with http binding does not require authentication header. This causes basic security failure as the service can be requested without security.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-02 00:28:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
reproducer
none
switchyard original
none
switchyard ER6
none
switchyard ER7 none

Description Pavel Drozd 2013-12-17 12:55:07 UTC 
Created attachment 837659 [details]
reproducer

Problem: Secured service with http binding does not require authentication header. 

The switchyard.xml (see switchyard-original.xml) defines the http binding on service "CustomService", component "Performance".

The bean scanner adds to the switchyard.xml new component named "CustomService" (The java bean defines annotation @Service(CustomService.class), so it is ok).

There is difference between switchayrd.xml generated in ER6 and ER7. 

The request to secured service published using switchyard.xml from previous version (ER6) requires authentication header, but the service published using switchyard.xml from ER7 does not, so the service can be requested without security.

ER6 switchyard:
the request to "http://localhost:8080/performance-binding-http-secured-basic/CustomService/sayHello" invokes the CustomService defined in Performance component, so it requires authentication.

ER7 switchyard:
the request to "http://localhost:8080/performance-binding-http-secured-basic/CustomService/sayHello" invokes the CustomService defined in new added CustomService component, so it does not require authentication. This is interesting, because the binding is defined for "Performance/CustomService"

switchyard-original.xml - original switchyard.xml
switchyard-ER6.xml - generated ER6
switchyard-ER7.xml - generated ER7

The reproducer attached.
Comment 1 Pavel Drozd 2013-12-17 12:55:43 UTC 
Created attachment 837660 [details]
switchyard original
Comment 2 Pavel Drozd 2013-12-17 12:56:06 UTC 
Created attachment 837661 [details]
switchyard ER6
Comment 3 Pavel Drozd 2013-12-17 12:56:27 UTC 
Created attachment 837662 [details]
switchyard ER7
Comment 4 Keith Babo 2013-12-17 14:03:45 UTC 
A few comments on this project:

1) If you already have your bean service defined in switchyard.xml, there's no point in using BeanScanner in your pom.xml to generate config.

2) If you really want to use BeanScanner for some reason, it's important to make sure that the config that will be generated from annotations in the bean class matches any predefined config in switchyard.xml.  In this case, that means adding the componentName element to your annotation:

@Service(value = CustomService.class, componentName = "Performance")

What's happening at runtime here is that two instances of 'CustomService' are registered, one for each component definition in the generated switchyard.xml.  The promoted service is also named 'CustomService' so it is going to match based on name and that will provide two possibilities. Deployment happens in document order, so that's likely why the first, unsecured service is being invoked with your app.
Comment 5 Rob Cernich 2014-10-21 15:05:05 UTC 
Hey Kevin, I think this should be nack'd and marked as won't fix.
Comment 6 kconner 2015-02-10 23:20:25 UTC 
nacking on behalf of dev given Keith's and Rob's comments