public void testWrappedEncodedSoapActionSpoofing() throws Exception {
JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
pf.setServiceClass(WrappedGreeter.class);
pf.setAddress(add17);
pf.setBus(bus);
WrappedGreeter greeter = (WrappedGreeter) pf.create();
assertEquals("sayHi", greeter.sayHiRequestWrapped("test"));
assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test"));
// Now test spoofing attack
((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true");
((BindingProvider)greeter).getRequestContext().put(
BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
);
try {
greeter.sayHiRequestWrapped("test");
fail("Failure expected on spoofing attack");
} catch (Exception ex) {
// expected
}
// Test the other operation
((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true");
((BindingProvider)greeter).getRequestContext().put(
BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1"
);
try {
greeter.sayHiRequest2Wrapped("test");
fail("Failure expected on spoofing attack");
} catch (Exception ex) {
// expected
}
// Test a SOAP Action that does not exist in the binding
((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true");
((BindingProvider)greeter).getRequestContext().put(
BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN"
);
try {
greeter.sayHiRequestWrapped("test");
fail("Failure expected on spoofing attack");
} catch (Exception ex) {
// expected
}
}