[
https://issues.apache.org/jira/browse/WSS-610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexandru-Constantin Bledea updated WSS-610:
--------------------------------------------
Description:
The decode method from org.apache.wss4j.dom.util.WSSecurityUtil doesn't appear
to do the right thing when sending NoSecurity.
If we're sending for instance "UsernameToken NoSecurity Signature" we're
getting back [1]
>From my point of view, it should probably return [1, 0, 2].
However, it seems like the person who wrote that code wanted NoSecurity to
override any other security policy (just like
org.apache.ws.security.util.WSSecurityUtil's decodeAction, however even there
the action list isn't cleared), in that case it should probably return just [0]
or [], but stopping at what we already parsed up to now and not including
NoSecurity doesn't seem to be the correct behavior.
was:
The decode method from org.apache.wss4j.dom.util.WSSecurityUtil doesn't appear
to do the right thing when sending NoSecurity.
If we're sending for instance "UsernameToken NoSecurity Signature" we're
getting back [1]
>From my point of view, it should probably return [1, 0, 2].
However, it seems like the person who wrote that code wanted NoSecurity to
override any other security policy (just like
org.apache.ws.security.util.WSSecurityUtil's decodeAction, however even there
the action list isn't cleared), in that case it should probably return just
[0], but stopping at what we already parsed up to now and not including
NoSecurity doesn't seem to be the correct behavior.
> WSSecurityUtil.decodeAction misbehaving when sending NoSecurity
> ---------------------------------------------------------------
>
> Key: WSS-610
> URL: https://issues.apache.org/jira/browse/WSS-610
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Reporter: Alexandru-Constantin Bledea
> Assignee: Colm O hEigeartaigh
>
> The decode method from org.apache.wss4j.dom.util.WSSecurityUtil doesn't
> appear to do the right thing when sending NoSecurity.
> If we're sending for instance "UsernameToken NoSecurity Signature" we're
> getting back [1]
> From my point of view, it should probably return [1, 0, 2].
> However, it seems like the person who wrote that code wanted NoSecurity to
> override any other security policy (just like
> org.apache.ws.security.util.WSSecurityUtil's decodeAction, however even there
> the action list isn't cleared), in that case it should probably return just
> [0] or [], but stopping at what we already parsed up to now and not including
> NoSecurity doesn't seem to be the correct behavior.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
