Bruno Campolo created WSS-505:
---------------------------------
Summary: WSSecurityUtil .storeElementInContext throws
ArrayIndexOutOfBoundsException
Key: WSS-505
URL: https://issues.apache.org/jira/browse/WSS-505
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 1.6.16
Environment: Windows 7, Java 7
Reporter: Bruno Campolo
Assignee: Colm O hEigeartaigh
When calling an Apache CXF STS, a RSTR is sent along with a corresponding
Signature element in the Security header. The XML Signature specification
states that a Reference URI="" should be allowed, but WSS4J throws an
ArrayIndexOutOfBoundsException in this case.
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>#### REMOVED ####</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>#### REMOVED ####</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference
wsu:Id="STR-96B0809D81C151981114049297131153">
<wsse:Reference URI="1058eb35-d9a6-4ff8-84ac-4f6d35ba3b3c"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
It appears that the code that fails is in
org.apache.ws.security.util.SecurityUtil:
public static void storeElementInContext(DOMCryptoContext context, String
uri, Element element) {
String id = uri;
if (uri.charAt(0) == '#') { <---- Exception thrown here since uri =
""
id = id.substring(1);
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
