[
https://issues.apache.org/jira/browse/RAMPART-218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Vladov updated RAMPART-218:
----------------------------------
Attachment: securityPolicy.xml
The security policy that could be used to reproduce the issue.
One should uncomment the <!-- sp:IncludeTimestamp/ --> assertion, otherwise
security engine won't process the message.
> EncryptedElements assertion failed validation in PolicyBasedResultsValidator
> ----------------------------------------------------------------------------
>
> Key: RAMPART-218
> URL: https://issues.apache.org/jira/browse/RAMPART-218
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Reporter: Stefan Vladov
> Assignee: Ruchith Udayanga Fernando
> Attachments: securityPolicy.xml
>
>
> I've encountered some problems using the EncryptedElements assertion:
> 1) Rampart is not executed when the EncryptedElements assertion is the only
> protection assertion in the message (no other encryption / signature /
> timestamp), since the RampartUtil#isSecHeaderReuired check fails. Essentially
> the execution does not get in the following block
> if (rpd.isEncryptBody() || rpd.getEncryptedParts().size() != 0 &&
> rpd.getEncryptedElements().size() != 0 ) {
> return true;
> }
> and thus the method returns false. Shouldn't it be enough to have an
> EncryptedElements assertion to trigger rampart and why is it required to also
> have EncryptedParts ?
> 2) In the PolicyBasedResultsValidator#validateEncryptedParts when calling
> isRefIdPresent(encrRefs, encPart.getEncId()) the encId of the encrypted
> element has a "#" before the id (as if it ware a reference). Essentially
> after decrypting the element, the EncryptedKeyProcessor in WSS4J adds a
> wsu:Id attribute to that element with the "#" sign
> (EncryptedKeyProcessor#decryptDataRef in the end of the method it calls
> ((Element)node).setAttributeNS(WSConstants.WSU_NS,
> wsuPrefix + ":Id", dataRefURI);
> wsDataRef.setWsuId(dataRefURI.substring(1));
> where the dataRefURI is the encrypted element id with the "#" in front.
> ). Since the wsu:Id attribute contains the "#" character the method
> isRefIdPresent fails to find the element id in the list of references and the
> validation fails. I'm not sure whether this is a problem in wss4j or in
> rampart but a simple workaround would be to add the following lines in the
> validateEncryptedParts method:
> if (encPart.getEncId() == null) {
> throw new RampartException("encryptedPartMissing",
> new
> String[]{encPart.getNamespace()+":"+encPart.getName()});
> } else {
> String encId = encPart.getEncId();
> if (encId != null && encId.startsWith("#")) {
> encId = encId.substring(1);
> }
> if (!isRefIdPresent(encrRefs, encId)) {
> throw new RampartException("encryptedPartMissing",
> new
> String[]{encPart.getNamespace()+":"+encPart.getName()});
> }
> }
> instead of
> if (encPart.getEncId() == null) {
> throw new RampartException("encryptedPartMissing",
> new
> String[]{encPart.getNamespace()+":"+encPart.getName()});
> } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
> throw new RampartException("encryptedPartMissing",
> new
> String[]{encPart.getNamespace()+":"+encPart.getName()});
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
