[
https://issues.apache.org/jira/browse/RAMPART-277?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
S.Uthaiyashankar resolved RAMPART-277.
--------------------------------------
Resolution: Fixed
Fix Version/s: NextVersion
Applied the patch in revision 1051777.
Thank you Dave and Thilina for the patch.
> Rampart ignores token inclusion settings when using the asymmetric security
> binding
> -----------------------------------------------------------------------------------
>
> Key: RAMPART-277
> URL: https://issues.apache.org/jira/browse/RAMPART-277
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.5
> Reporter: Dave Bryant
> Assignee: S.Uthaiyashankar
> Priority: Minor
> Fix For: NextVersion
>
> Attachments: RAMPART-277.patch, tokenReference.patch
>
>
> Consider the abbhreviated policy below. It defines x509 tokens for the
> initiator and recipient: the initiator's token must be included in all
> messages from the initiator to the recepient, and the recipient's token must
> not be included at all.
> {code:xml}
> <wsp:Policy wsu:Id="servicePolicy">
> <sp:AsymmetricBinding>
> <sp:InitiatorToken>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"/>
> </sp:RecipientToken>
> </wsp:Policy>
> {code}
> When Rampart is used as both the client and server for a web service using
> this policy, the client's certificate is correctly included as a binary
> security token in the request. However, the response message from the server
> to the client also includes this as a binary security token when reference
> which token was used to encrypt the encrypted symmetric key. This is
> incorrect as the token was marked as only to be included in messages from the
> initiator to the recipient.
> The problem is that the asymmetric security binding uses
> RampartUtil.setKeyIdentifierType() to determine what type of key references
> should be used. As present it will always include a binary security token
> unless the token inclusion parameter is set to never - i.e. it does not take
> into account whether we are the initiator or not, and so doesn't handle the
> alwaysToInitiator and alwaysToRecipient inclusion modes.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
