SupportingToken UsernameToken is always encrypted
-------------------------------------------------
Key: CXF-2714
URL: https://issues.apache.org/jira/browse/CXF-2714
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.2.6
Reporter: Alexey Ilyin
If no encryption is specified in the policy file and UsernameToken is used as
supporting token, then this token is always encrypted.
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken,
boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an
encrypted token and unconditionally adds it to the encryptedTokensIdList.
This can be easily fixed by modifying line 428 (as per src release 1.4) from
encryptedTokensIdList.add(utBuilder.getId());
to
if (suppTokens.isEncryptedToken()) {
encryptedTokensIdList.add(utBuilder.getId());
}
One more concern about comment that commented in file:
//WebLogic and WCF always encrypt these
//See:
http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
Currently WebLogic doesn't encrypt UsernameToken and we got interoperability
issue between CXF and WebLogic
Same bug already registered per RAMPART (RAMPART-225)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
