[jira] [Updated] (CXF-2924) WS-SP support does not enforce signature algorithm or digest algorithm on server side

Fri, 16 Sep 2011 03:33:35 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated CXF-2924:
-------------------------------------

    Fix Version/s: 2.5
                   2.4.3

> WS-SP support does not enforce signature algorithm or digest algorithm on 
> server side
> -------------------------------------------------------------------------------------
>
>                 Key: CXF-2924
>                 URL: https://issues.apache.org/jira/browse/CXF-2924
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10, 2.3
>            Reporter: David Valeri
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.4.3, 2.5
>
>
> A WS-SP policy document that includes an algorithm suite assertion for a 
> signature operation, such as the example below, does not trigger the 
> enforcement of the algorithm suite in the inbound interceptors.
> {code:xml}
>     ...
>       <sp:AsymmetricBinding>
>         <wsp:Policy>
>           <sp:InitiatorToken>
>             <wsp:Policy>
>               <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>                 <wsp:Policy>
>                   <sp:RequireIssuerSerialReference />
>                   <sp:WssX509V3Token10 />
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:InitiatorToken>
>           <sp:RecipientToken>
>             <wsp:Policy>
>               <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>                 <wsp:Policy>
>                   <sp:RequireIssuerSerialReference />
>                   <sp:WssX509V3Token10 />
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:RecipientToken>
>           <sp:AlgorithmSuite>
>             <wsp:Policy>
>               <sp:Basic256Sha256 />
>             </wsp:Policy>
>           </sp:AlgorithmSuite>
>           <sp:Layout>
>             <wsp:Policy>
>               <sp:Strict />
>             </wsp:Policy>
>           </sp:Layout>
>         </wsp:Policy>
>       </sp:AsymmetricBinding>
>     ...
> {code}
> While the message could be inspected in order to extract this information, 
> WSS4J already possesses the information.  Unfortunately, WSS4J does not 
> report the information in the result data (1.5.8).  This issue is blocked on 
> the addition of this information to the WSS4J results.  See WSS-236.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to