[jira] Commented: (CXF-2714) SupportingToken UsernameToken is always encrypted

Wed, 07 Apr 2010 19:38:02 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-2714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12854774#action_12854774
 ] 

Daniel Kulp commented on CXF-2714:
----------------------------------


If that change is made, we lose interopability with .NET.   I've verified this 
by running the interop tests with that change and the tests fail.  
Interopability with .NET is likely more important than with WebLogic so I'm 
going to keep the default as is.  However, I'm going to add a config property 
that can be set to turn this off.

    //WebLogic and WCF always encrypt UsernameTokens whenever possible
    //See:  http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
    //Be default, we will encrypt as well for interop reasons.  However, this
    //setting can be set to false to turn that off. 
    public static final String ALWAYS_ENCRYPT_UT = 
"ws-security.username-token.always.encrypted";
    

> SupportingToken UsernameToken is always encrypted
> -------------------------------------------------
>
>                 Key: CXF-2714
>                 URL: https://issues.apache.org/jira/browse/CXF-2714
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.6
>            Reporter: Alexey Ilyin
>
> If no encryption is specified in the policy file and UsernameToken is used as 
> supporting token, then this token is always encrypted. 
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken,
>  boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an 
> encrypted token and unconditionally adds it to the encryptedTokensIdList. 
> This can be easily fixed by modifying line 428 (as per src release 1.4) from 
>                     encryptedTokensIdList.add(utBuilder.getId()); 
> to 
>   
>                    if (suppTokens.isEncryptedToken()) { 
>                         encryptedTokensIdList.add(utBuilder.getId()); 
>                     } 
> One more concern about comment that commented in file:
>                     //WebLogic and WCF always encrypt these
>                     //See:  
> http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
> Currently WebLogic doesn't encrypt UsernameToken and we got interoperability 
> issue between CXF and WebLogic
> Same bug already registered per RAMPART (RAMPART-225)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to