[
https://issues.apache.org/jira/browse/RAMPART-384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yoann Guerro updated RAMPART-384:
---------------------------------
Description:
The following policy is not correctly handled by Rampart policy:
Input policy
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
After serialization:
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken11>
<sp:HashPassword/>
</sp:WssUsernameToken11>
</wsp:Policy>
</sp:UsernameToken>
This is due to the following code in the serialize method of the UsernameToken
class in package org.apache.ws.secpolicy.model
if (isUseUTProfile10()) {
// <sp:WssUsernameToken10 />
writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN10
, namespaceURI);
} else {
// <sp:WssUsernameToken11 />
writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN11
, namespaceURI);
}
if (version == SPConstants.SP_V12) {
if (isNoPassword()) {
writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD,
namespaceURI);
} else if (isHashPassword()){
writeEmptyElement(writer, prefix,
SPConstants.HASH_PASSWORD, namespaceURI);
}
if (isDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI);
} else if (isExplicitDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
} else if (isImpliedDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
}
}
writer.writeEndElement();
There are several issues:
- Ordering of elements doesn't respect the WS-SecurityPolicy 1.2 specs [1]
- WssUsernameToken10 and WssUsernameToken11 aren't parents of other assertions
- Use of assertions WssUsernameToken10 or WssUsernameToken11 is not mandatory
The code should be corrected in:
if (version == SPConstants.SP_V12) {
if (isNoPassword()) {
writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, namespaceURI);
} else if (isHashPassword()){
writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD,
namespaceURI);
}
if (isDerivedKeys()) {
writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS,
namespaceURI);
} else if (isExplicitDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
} else if (isImpliedDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
}
}
if (isUseUTProfile10()) {
// <sp:WssUsernameToken10 />
writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN10 ,
namespaceURI);
} else if (isUseUTProfile11()) {
// <sp:WssUsernameToken11 />
writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN11 ,
namespaceURI);
}
[1]
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826535
(Section 5.4.1)
was:
The following policy is not correctly handled by Rampart policy:
Input policy
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
After serialization:
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken11>
<sp:HashPassword/>
</sp:WssUsernameToken11>
</wsp:Policy>
</sp:UsernameToken>
This is due to the following code in the serialize method of the UsernameToken
class in package org.apache.ws.secpolicy.model
if (isUseUTProfile10()) {
// <sp:WssUsernameToken10 />
writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN10
, namespaceURI);
} else {
// <sp:WssUsernameToken11 />
writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN11
, namespaceURI);
}
if (version == SPConstants.SP_V12) {
if (isNoPassword()) {
writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD,
namespaceURI);
} else if (isHashPassword()){
writeEmptyElement(writer, prefix,
SPConstants.HASH_PASSWORD, namespaceURI);
}
if (isDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI);
} else if (isExplicitDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
} else if (isImpliedDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
}
}
writer.writeEndElement();
There are several issues:
<ul>
<li>Ordering of elements doesn't respect the WS-SecurityPolicy 1.2 specs
[1]</li>
<li>WssUsernameToken10 and WssUsernameToken11 aren't parents of other
assertions</li>
<li>Use of assertions WssUsernameToken10 or WssUsernameToken11 is not
mandatory</li>
</ul>
The code should be corrected in:
if (version == SPConstants.SP_V12) {
if (isNoPassword()) {
writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, namespaceURI);
} else if (isHashPassword()){
writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD,
namespaceURI);
}
if (isDerivedKeys()) {
writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS,
namespaceURI);
} else if (isExplicitDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
} else if (isImpliedDerivedKeys()) {
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
}
}
if (isUseUTProfile10()) {
// <sp:WssUsernameToken10 />
writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN10 ,
namespaceURI);
} else if (isUseUTProfile11()) {
// <sp:WssUsernameToken11 />
writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN11 ,
namespaceURI);
}
[1] <a
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826535"/>
(Section 5.4.1)
> Invalid serialization for UsernameToken with WS-SecurityPolicy 1.2
> ------------------------------------------------------------------
>
> Key: RAMPART-384
> URL: https://issues.apache.org/jira/browse/RAMPART-384
> Project: Rampart
> Issue Type: Bug
> Components: rampart-policy
> Affects Versions: 1.6.2
> Environment: Java SDK 1.6.0_27
> Windows XP Pro SP3
> Axis2 1.6.2
> Neethi 3.0.2
> Rampart 1.6.2
> Reporter: Yoann Guerro
> Priority: Critical
> Labels: patch
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The following policy is not correctly handled by Rampart policy:
> Input policy
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:HashPassword/>
> <sp:WssUsernameToken11/>
> </wsp:Policy>
> </sp:UsernameToken>
> After serialization:
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:WssUsernameToken11>
> <sp:HashPassword/>
> </sp:WssUsernameToken11>
> </wsp:Policy>
> </sp:UsernameToken>
> This is due to the following code in the serialize method of the
> UsernameToken class in package org.apache.ws.secpolicy.model
> if (isUseUTProfile10()) {
> // <sp:WssUsernameToken10 />
> writeStartElement(writer, prefix,
> SPConstants.USERNAME_TOKEN10 , namespaceURI);
> } else {
> // <sp:WssUsernameToken11 />
> writeStartElement(writer, prefix,
> SPConstants.USERNAME_TOKEN11 , namespaceURI);
> }
>
> if (version == SPConstants.SP_V12) {
>
> if (isNoPassword()) {
> writeEmptyElement(writer, prefix,
> SPConstants.NO_PASSWORD, namespaceURI);
> } else if (isHashPassword()){
> writeEmptyElement(writer, prefix,
> SPConstants.HASH_PASSWORD, namespaceURI);
> }
>
> if (isDerivedKeys()) {
> writeEmptyElement(writer, prefix,
> SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI);
> } else if (isExplicitDerivedKeys()) {
> writeEmptyElement(writer, prefix,
> SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
> } else if (isImpliedDerivedKeys()) {
> writeEmptyElement(writer, prefix,
> SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
> }
>
> }
> writer.writeEndElement();
> There are several issues:
> - Ordering of elements doesn't respect the WS-SecurityPolicy 1.2 specs [1]
> - WssUsernameToken10 and WssUsernameToken11 aren't parents of other assertions
> - Use of assertions WssUsernameToken10 or WssUsernameToken11 is not mandatory
> The code should be corrected in:
> if (version == SPConstants.SP_V12) {
>
> if (isNoPassword()) {
> writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD,
> namespaceURI);
> } else if (isHashPassword()){
> writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD,
> namespaceURI);
> }
>
> if (isDerivedKeys()) {
> writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS,
> namespaceURI);
> } else if (isExplicitDerivedKeys()) {
> writeEmptyElement(writer, prefix,
> SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
> } else if (isImpliedDerivedKeys()) {
> writeEmptyElement(writer, prefix,
> SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
> }
>
> }
> if (isUseUTProfile10()) {
> // <sp:WssUsernameToken10 />
> writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN10 ,
> namespaceURI);
> } else if (isUseUTProfile11()) {
> // <sp:WssUsernameToken11 />
> writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN11 ,
> namespaceURI);
> }
> [1]
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826535
> (Section 5.4.1)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
