Processing of <Issuer> and <RequestSecurityTokenTemplate> in class
org.apache.ws.secpolicy.builders.IssuedTokenBuilder is wrong.
--------------------------------------------------------------------------------------------------------------------------------
Key: RAMPART-32
URL: https://issues.apache.org/jira/browse/RAMPART-32
Project: Rampart
Issue Type: Bug
Components: rampart-policy
Affects Versions: 1.1
Reporter: Uwe Kylau
There is a bug in method build(...) of class
org.apache.ws.secpolicy.builders.IssuedTokenBuilder,
which processes the <IssuedToken> assertion.
Instead of fetching the <RequestSecurityTokenTemplate> and calling
issuedToken.setRstTemplate(...),
the <Issuer> element is fetched again and issuedToken.setIssuerEpr(...) is
called a second time.
extract of the incorrect code:
public Assertion build(OMElement element, AssertionBuilderFactory factory)
throws IllegalArgumentException {
IssuedToken issuedToken = new IssuedToken();
// Extract Issuer
OMElement issuerElem = element.getFirstChildWithName(Constants.ISSUER);
if (issuerElem != null && issuerElem.getFirstElement() != null) {
issuedToken.setIssuerEpr(issuerElem.getFirstElement());
}
// Extract RSTTemplate
OMElement rstTmplElem = element.getFirstChildWithName(Constants.ISSUER);
if (rstTmplElem != null) {
issuedToken.setIssuerEpr(rstTmplElem);
}
...
}
As can be seen, getFirstChildWithName(Constants.ISSUER) is called twice, as
well as setIssuerEpr(...).
In result, the <RequestSecurityTokenTemplate> element will not be included in
the policy of the deployed service.
A client must must obtain it locally (e.g. from a file) and cannot extract it
from the response of a metadata exchange.
Thx in advance for fixing this issue.
Best regards,
Uwe Kylau
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
