[
https://issues.apache.org/jira/browse/WSS-334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13189727#comment-13189727
]
Colm O hEigeartaigh commented on WSS-334:
-----------------------------------------
Hi Alessio,
This patch is not necessary, as we are about to pick up Santuario 1.5.0, which
takes care of this problem. In 1.5.0, any client code is responsible for
providing all References, and so if WSS4J does not find the Element then
signature validation will fail. See points 2 + 3 here for more info:
http://coheigea.blogspot.com/2012/01/apache-santuario-xml-security-for-java.html
It's possible that the Reference could be a http resource, which would not be
resolved via the default CallbackLookup object in WSS4J, and so your patch
would always cause that scenario to fail.
Colm.
> SignatureProcessor does not fail when ids of referenced signed elements are
> duplicated
> --------------------------------------------------------------------------------------
>
> Key: WSS-334
> URL: https://issues.apache.org/jira/browse/WSS-334
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Reporter: Alessio Soldano
> Assignee: Colm O hEigeartaigh
> Attachments: diff-sign-dup-id.txt
>
>
> The SignatureProcessor::verifyXMLSignature should throw an exception when the
> id of referenced elements is detected to be duplicated in the message being
> processed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
