[jira] [Commented] (WSS-436) Outbound StaX code should fail on not finding a signature/encryption part

Wed, 24 Apr 2013 06:53:17 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13640450#comment-13640450
 ] 

Colm O hEigeartaigh commented on WSS-436:
-----------------------------------------

Hi Marc,

This issue is not entirely fixed. Take the following configuration as an 
example:

 WSSSecurityProperties properties = new WSSSecurityProperties();
        properties.setOutAction(new XMLSecurityConstants.Action[] {
            WSSConstants.SIGNATURE, WSSConstants.USERNAMETOKEN
        });
        
        properties.addSignaturePart(
            new SecurePart(new QName(WSSConstants.NS_WSSE10, "UsernameToken"), 
SecurePart.Modifier.Element)
        );
        properties.addSignaturePart(
            new SecurePart(new QName(WSSConstants.NS_SOAP11, "Body"), 
SecurePart.Modifier.Element)
        );

As the Signature is before the UsernameToken, I guess the Signature cannot find 
the element to sign. In this case, the Signature signs the SOAP Body, and not 
the UsernameToken - which is placed after the Signature. The request is created 
without an error, even though the UsernameToken is not actually signed.

Colm.
                
> Outbound StaX code should fail on not finding a signature/encryption part
> -------------------------------------------------------------------------
>
>                 Key: WSS-436
>                 URL: https://issues.apache.org/jira/browse/WSS-436
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Colm O hEigeartaigh
>            Assignee: Marc Giger
>             Fix For: 2.0
>
>
> The outbound StaX code should fail on not finding a signature/encryption 
> part. Perhaps we could just add a boolean to SecurePart indicating whether it 
> was satisfied or not, and then loop through the SecurePart lists when we're 
> done to check everything was matching.
> With the current code a user might specify the wrong namespace and then 
> assume security was applied.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to