[
https://issues.apache.org/jira/browse/WSS-459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13707312#comment-13707312
]
Marc Giger commented on WSS-459:
--------------------------------
Because
1) They are not part of the pre-validation
2) EncryptedParts can include the Body-Encryption.
RequiredParts could be included in the pre-validation since it does not support
the Body (would also be useless).
EncryptedParts is not included because it can contain the Body. Then you may
ask why it works with the signature!?
Simply because the SignaturePart is doing negative matching and the
SignaturePartSecurityEvent is
issued before the OperationEvent that triggers the pre-validation (since the
body element itself is signed).
EncryptedParts works exactly the same way as SignatureParts but there is a
important difference: EncryptionPart
for the Body is always Content-Encryption and therefore it may be (not verified
yet) that the SecurityEvent will be issued after the OperationSecurityEvent.
That said, for RequiredPart it should be possible to include it in the
pre-validation. For the others I think it's not that easy.
But that would be just an small optimization and does not solve the basic
problem. We have to call close() in any case before
the ServiceImpl is called when not using Message mode! Not doing so can result
in security issues.
Just some things on top of my head which are affected when close() is not
called:
- signature hash calculation may not be finished and not compared with the
given one
- No final check is done if all references where processed (sig and enc)
- Policy is not full verified
- If the SwA patches will be accepted the attachments will not be processed
- and propably more....
As already noted, I would propose that we close the StAX reader before invoking
the service impl. when not using Message-Mode (and others streaming modes if
any)
and document on wikis etc. that if the MessageMode is used together with the
Streaming-WSS engine that the user is responsible to leech
the stream to the end and calling close().
> RequiredParts + EncryptedParts policy validation not working
> ------------------------------------------------------------
>
> Key: WSS-459
> URL: https://issues.apache.org/jira/browse/WSS-459
> Project: WSS4J
> Issue Type: Bug
> Reporter: Colm O hEigeartaigh
> Assignee: Marc Giger
> Fix For: 2.0
>
>
> RequiredParts policy validation is not working. A CXF negative test-case
> (StaxPartsTest) has a policy which "requires" a header of name "ToTo",
> however the (streaming) service throws no error.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
