[
https://issues.apache.org/jira/browse/WSS-610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexandru-Constantin Bledea updated WSS-610:
--------------------------------------------
Description:
The decode method from org.apache.wss4j.dom.util.WSSecurityUtil doesn't appear
to do the right thing when sending NoSecurity.
There seems to be an assumption that if someone will add NoSecurity it will
always be in the first position.
But if we're sending for instance "UsernameToken NoSecurity Signature" we're
getting back [ 1 ].
If we want NoSecurity to override all other actions, we should probably return
[]
{code:java}
if (single[i].equals(WSHandlerConstants.NO_SECURITY)) {
return actions;
{code}
should probably be replaced with
{code:java}
if (single[i].equals(WSHandlerConstants.NO_SECURITY)) {
return Collections.emptyList();
{code}
was:
The decode method from org.apache.wss4j.dom.util.WSSecurityUtil doesn't appear
to do the right thing when sending NoSecurity.
If we're sending for instance "UsernameToken NoSecurity Signature" we're
getting back [1]
>From my point of view, it should probably return [1, 0, 2].
However, it seems like the person who wrote that code wanted NoSecurity to
override any other security policy (just like
org.apache.ws.security.util.WSSecurityUtil's decodeAction, however even there
the action list isn't cleared), in that case it should probably return just [0]
or [], but stopping at what we already parsed up to now and not including
NoSecurity doesn't seem to be the correct behavior.
> WSSecurityUtil.decodeAction misbehaving when sending NoSecurity
> ---------------------------------------------------------------
>
> Key: WSS-610
> URL: https://issues.apache.org/jira/browse/WSS-610
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Reporter: Alexandru-Constantin Bledea
> Assignee: Colm O hEigeartaigh
>
> The decode method from org.apache.wss4j.dom.util.WSSecurityUtil doesn't
> appear to do the right thing when sending NoSecurity.
> There seems to be an assumption that if someone will add NoSecurity it will
> always be in the first position.
> But if we're sending for instance "UsernameToken NoSecurity Signature" we're
> getting back [ 1 ].
> If we want NoSecurity to override all other actions, we should probably
> return []
> {code:java}
> if (single[i].equals(WSHandlerConstants.NO_SECURITY)) {
> return actions;
> {code}
> should probably be replaced with
> {code:java}
> if (single[i].equals(WSHandlerConstants.NO_SECURITY)) {
> return Collections.emptyList();
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
