[
https://issues.apache.org/jira/browse/CXF-2714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp reassigned CXF-2714:
--------------------------------
Assignee: Daniel Kulp
> SupportingToken UsernameToken is always encrypted
> -------------------------------------------------
>
> Key: CXF-2714
> URL: https://issues.apache.org/jira/browse/CXF-2714
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.6
> Reporter: Alexey Ilyin
> Assignee: Daniel Kulp
>
> If no encryption is specified in the policy file and UsernameToken is used as
> supporting token, then this token is always encrypted.
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken,
> boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an
> encrypted token and unconditionally adds it to the encryptedTokensIdList.
> This can be easily fixed by modifying line 428 (as per src release 1.4) from
> encryptedTokensIdList.add(utBuilder.getId());
> to
>
> if (suppTokens.isEncryptedToken()) {
> encryptedTokensIdList.add(utBuilder.getId());
> }
> One more concern about comment that commented in file:
> //WebLogic and WCF always encrypt these
> //See:
> http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
> Currently WebLogic doesn't encrypt UsernameToken and we got interoperability
> issue between CXF and WebLogic
> Same bug already registered per RAMPART (RAMPART-225)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
