[
https://issues.apache.org/jira/browse/AXIS2-2019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466996
]
Hans G Knudsen commented on AXIS2-2019:
---------------------------------------
Hi again!
ad 1)
Forgot to mention that all info needed for the check is present in
PolicyBasedResultsValidator. I hope to be able to present a pacht in a few
days...
ad 2/3)
I tracked down the problem to RampartUtil.getSignedParts() :
Here the vector is always pre-initialized with the 'SignedParts' from
PolicyData (these are headers only) and in the case where
rpd.isEntireHeadersAndBodySignatures())
all headers from Soap message afterwards are added.
Would it be OK to just start with an empty Vector in this case ??
> RAMPART : Policy handling of <SignedPart> <Header(s)..
> -------------------------------------------------------
>
> Key: AXIS2-2019
> URL: https://issues.apache.org/jira/browse/AXIS2-2019
> Project: Apache Axis 2.0 (Axis2)
> Issue Type: Bug
> Reporter: Hans G Knudsen
> Assigned To: Ruchith Udayanga Fernando
>
> Hi
> Interop testing with .Net/WCF we noticed a few problems if we used/tried to
> specify "Headers" in the SignedParts Policy block
> eg
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <sp:Body/>
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> 1: Incoming handling does not use the list to check that specified headers
> were signed
> Check could be :
> - Is header from policy-list present in Soap message ?
> - if present - check if header is in 'SignedElements' in
> WSSecurityEngineResult
> 2: Outgoing handling fails if header specified in policy is not present in
> Soap Message - and message is not sent
> Rampart calls WSS4J->WSSecSignature.addReferencesToSign to add headers to be
> signed - but fails if header is not present - could be a specified addressing
> header which is not needed in the current message.
> Is this a desirable behaviour ?
> I suppose you specify the headers in <SignedParts> because you want to
> enforce that they are signed (when receiving) - so should outgoing handling
> not be a little less strict ??
> ( - this could of cause also be a bug in WSS4J )
> 3. When used together with policy element <OnlySignEntireHeadersAndBody> -
> heades are added twice to the signature.
> Axis survives this - but .Net/WCF cough a bit (throws exception / Soap fault)
> - this is releated to (2)
> /hans
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
