How to avoid sending soap headers back in response to the client in CXF ?

Solution Verified - Updated -

Issue

  • We are posting this case as a potential security issue that we've identified somewhere between the base Fuse 6.1 and R2P5. We changed our authentication/authorization as a work-around; so we don't have an immediate way to demonstrate.

  • Using cxf soap services, defined in blueprint, when there is an unhandled exception, the wssecurity headers are relayed back to the client. This can include the username/password credentials that are supplied. In our case, we had a security appliance acting as an intermediary between our internal network and the internet. The credentials being returned to the client were not necessarily their own; rather the credentials of the security appliance. This was not the behavior in 6.0 or the base 6.1; however after adding R2P5 we saw it.

  • Whenever we develop a WSSE Authentication service and provide the username and password as plain-text, in successful endpoint call, we get the soap response back. But the soap response contains our credentials that are provided as part of the soap headers. This is a sensitive information which we don't want to send back to the client. How can we have this implemented ?

Environment

  • Red Hat JBoss Fuse
    • 6.x
  • Apache CXF

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content