[
https://issues.apache.org/jira/browse/RAMPART-264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Samisa Abeysinghe updated RAMPART-264:
--------------------------------------
Assignee: (was: Ruchith Udayanga Fernando)
> PolicyBasedResultsValidator fails on ContentEncryptedElements and
> EncryptedElements
> -----------------------------------------------------------------------------------
>
> Key: RAMPART-264
> URL: https://issues.apache.org/jira/browse/RAMPART-264
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.4
> Environment: tomcat6
> axis2 1.4
> Reporter: Christian Connert
> Attachments: message.xml, testPolicy.xml
>
>
> The validation of ContentEncryptedElements or EncryptedElements fails:
> Caused by: org.apache.rampart.RampartException: Missing encryption result for
> id : http://test.at/:name
> at
> org.apache.rampart.PolicyBasedResultsValidator.validateEncryptedParts(PolicyBasedResultsValidator.java:448)
> at
> org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:144)
> at org.apache.rampart.RampartEngine.process(RampartEngine.java:204)
> at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
> ... 21 more
> This error is caused by line number 447 - 448 of the
> PolicyBasedResultsValidator class.
> The problem is, that decrypted elements have no encryption id attribute and
> thus the check if(encPart.getEncId() == null) evaluates to true resulting in
> the given RampartException.
> From my point of view the error lies within the Validation process. The
> behavior that no id attributes are present in decrypted elment is intended by
> the WS-SecurityPolicy specification.
> I would suggest two fixes:
> 1.) (Quick and Dirty) :
> Extend the PolicyBasedResultsValidator and override the
> validateEncryptedParts (almost the same as in base class):
> protected void validateEncryptedParts(ValidatorData data,
> Vector encryptedParts, Vector results) throws
> RampartException {
> RampartMessageData rmd = data.getRampartMessageData();
>
> ArrayList encrRefs = getEncryptedReferences(results);
>
> RampartPolicyData rpd = rmd.getPolicyData();
>
> //Check for encrypted body
> if(rpd.isEncryptBody()) {
>
> if( !isRefIdPresent(encrRefs, data.getBodyEncrDataId())){
> throw new RampartException("encryptedPartMissing",
> new String[]{data.getBodyEncrDataId()});
> }
> }
> for (int i = 0 ; i < encryptedParts.size() ; i++) {
>
> WSEncryptionPart encPart =
> (WSEncryptionPart)encryptedParts.get(i);
>
> //This is the encrypted Body and we already checked encrypted body
> if (encPart.getType() == WSConstants.PART_TYPE_BODY) {
> continue;
> }
>
> if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
> WSConstants.SIG_NS.equals(encPart.getNamespace()))
> || encPart.getType() == WSConstants.PART_TYPE_HEADER ) {
> if (!isRefIdPresent(encrRefs, new
> QName(encPart.getNamespace(),encPart.getName()))) {
> throw new RampartException("encryptedPartMissing",
> new
> String[]{encPart.getNamespace()+":"+encPart.getName()});
> }
> continue;
> }
>
> if (encPart.getEncId() == null) {
> // !!! this line is added !!!
> if(!isRefIdPresent(encrRefs, new
> QName(encPart.getNamespace(),encPart.getName())))
> throw new RampartException("encryptedPartMissing",
> new
> String[]{encPart.getNamespace()+":"+encPart.getName()});
> } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
> throw new RampartException("encryptedPartMissing",
> new
> String[]{encPart.getNamespace()+":"+encPart.getName()});
> }
>
> }
> }
> one also needs to copy the private methods isRefIdPresent(ArrayList refList ,
> QName qname) and isRefIdPresent(ArrayList refList , String id) from the
> PolicyBasedResultsValdator class.
> Then the Rampart Config can be adapted to use the new
> PolicyValidatorCallbackHandler (ramp:policyValidatorCbClass).
> 2.) (Clean but more work)
> From my point of view the WSEncryptionPart should be of type
> WSConstant.PART_TYPE_ELEMENT. This must be set within the methods
> getContentEncryptedElements and getPartsAndElements. Those methods iterate
> over the XPaths of the corresponding ContentEncryptedElements or
> EncryptedElements. They create new WSEncryptionParts but don't set any type.
> If the type would be set correctly, then one could check fo this type within
> the PolicyBasedResultsValdator (Line 437) as followed:
> if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
> WSConstants.SIG_NS.equals(encPart.getNamespace()))
> || encPart.getType() == WSConstants.PART_TYPE_HEADER
> || encPart.getType() == WSConstants.PART_TYPE_ELEMENT ) {
> if (!isRefIdPresent(encrRefs, new
> QName(encPart.getNamespace(),encPart.getName()))) {
> Hopefully this helps to locate and fix the bug.
> Note:
> As in (http://issues.apache.org/jira/browse/RAMPART-218) the policy isn't
> processed, if ContentEncryptedElements or EncryptedElements are the only
> assertions.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
