[jira] [Resolved] (RAMPART-384) Invalid serialization for UsernameToken with WS-SecurityPolicy 1.2

Ruchith Udayanga Fernando (JIRA) Thu, 24 Jan 2013 18:25:12 -0800

     [ 
https://issues.apache.org/jira/browse/RAMPART-384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ruchith Udayanga Fernando resolved RAMPART-384.
-----------------------------------------------

    Resolution: Fixed
      Assignee: Ruchith Udayanga Fernando

Fixed in revision 1438295.
                
> Invalid serialization for UsernameToken with WS-SecurityPolicy 1.2
> ------------------------------------------------------------------
>
>                 Key: RAMPART-384
>                 URL: https://issues.apache.org/jira/browse/RAMPART-384
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-policy
>    Affects Versions: 1.6.2
>         Environment: Java SDK 1.6.0_27
> Windows XP Pro SP3
> Axis2 1.6.2
> Neethi 3.0.2
> Rampart 1.6.2
>            Reporter: Yoann Guerro
>            Assignee: Ruchith Udayanga Fernando
>            Priority: Critical
>              Labels: patch
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The following policy is not correctly handled by Rampart policy:
> Input policy
> <sp:UsernameToken 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>       <wsp:Policy>
>               <sp:HashPassword/>
>               <sp:WssUsernameToken11/>
>       </wsp:Policy>
> </sp:UsernameToken>
> After serialization:
> <sp:UsernameToken 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>       <wsp:Policy>
>               <sp:WssUsernameToken11>
>                       <sp:HashPassword/>
>               </sp:WssUsernameToken11>
>       </wsp:Policy>
> </sp:UsernameToken>
> This is due to the following code in the serialize method of the 
> UsernameToken class in package org.apache.ws.secpolicy.model
>             if (isUseUTProfile10()) {
>                 // <sp:WssUsernameToken10 />
>                 writeStartElement(writer, prefix, 
> SPConstants.USERNAME_TOKEN10 , namespaceURI);
>             } else {
>                 // <sp:WssUsernameToken11 />
>                 writeStartElement(writer, prefix, 
> SPConstants.USERNAME_TOKEN11 , namespaceURI);
>             }
>             
>             if (version == SPConstants.SP_V12) {
>                 
>                 if (isNoPassword()) {
>                     writeEmptyElement(writer, prefix, 
> SPConstants.NO_PASSWORD, namespaceURI);
>                 } else if (isHashPassword()){
>                     writeEmptyElement(writer, prefix, 
> SPConstants.HASH_PASSWORD, namespaceURI);
>                 }
>                 
>                 if (isDerivedKeys()) {
>                     writeEmptyElement(writer, prefix, 
> SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI);
>                 } else if (isExplicitDerivedKeys()) {
>                     writeEmptyElement(writer, prefix, 
> SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
>                 } else if (isImpliedDerivedKeys()) {
>                     writeEmptyElement(writer, prefix, 
> SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
>                 }
>                 
>             }
>             writer.writeEndElement();
> There are several issues:
> - Ordering of elements doesn't respect the WS-SecurityPolicy 1.2 specs [1]
> - WssUsernameToken10 and WssUsernameToken11 aren't parents of other assertions
> - Use of assertions WssUsernameToken10 or WssUsernameToken11 is not mandatory
> The code should be corrected in:
>   if (version == SPConstants.SP_V12) {
>                 
>     if (isNoPassword()) {
>       writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, 
> namespaceURI);
>     } else if (isHashPassword()){
>       writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD, 
> namespaceURI);
>     }
>                 
>     if (isDerivedKeys()) {
>       writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS, 
> namespaceURI);
>     } else if (isExplicitDerivedKeys()) {
>       writeEmptyElement(writer, prefix, 
> SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
>     } else if (isImpliedDerivedKeys()) {
>       writeEmptyElement(writer, prefix, 
> SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
>     }
>                 
>   }
>   if (isUseUTProfile10()) {
>     // <sp:WssUsernameToken10 />
>     writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN10 , 
> namespaceURI);
>   } else if (isUseUTProfile11()) {
>     // <sp:WssUsernameToken11 />
>     writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN11 , 
> namespaceURI);
>   }           
> [1] 
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826535
>  (Section 5.4.1)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Resolved] (RAMPART-384) Invalid serialization for UsernameToken with WS-SecurityPolicy 1.2

Reply via email to