Apache CXF supports the ability to use XML Signature and encryption to secure
JAX-RS services. Two different implementations are available, a DOM based
approach that works on a model of the message in memory before applying
security, and a streaming based implementation that is a useful alternative
for larger messages.
There is a bug in validating messages for JAX-RS clients using the streaming
approach, where it will not enforce that the message is signed and/or
encrypted. An exception is thrown in these cases but not properly propagated
to the client code. The bug does not apply for the DOM clients and it does not
apply for the streaming server side case.
Created cxf tracking bugs for this issue:
Affects: fedora-all [bug 1445335]
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832