Hey Dan, Colm, all: This makes sense, and you can consider my -1 withdrawn.
I would, however, like to see Nandana's +1 on this before it goes out. Thanks, --Glen Daniel Kulp wrote: > As Colm mentioned, there is a patch on the Jira already. (actually, Colm > could just commit it probably, but I suppose having someone look at it is a > good idea) > > Basically, this is a bug in Rampart. Rampart is suffering from the same > "blindly strip the first char" problem that wss4j did. If you put some > printlns in the rampart token store, with 1.5.5, you can see: > > add: 7EA37A075C8888C7BE12367220453773 > add: #sctId-1176318351 > get: #sctId-1176318351: org.apache.rahas.to...@364e50ee > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.to...@420253af > Service invoked > get: sctId-1176318351: org.apache.rahas.to...@420253af > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.to...@364e50ee > > The last line is the tell tale sign. That ID is NOT a valid token ID, but > the > token store is finding a token for it. That's probably some sort of > security > violation or something. Not sure how exploitable it is. What's worse, in > SOME cases, if you pass the VALID id in, the store doesn't find the token for > it. > > Actually, I would take the patch one furthur and update the > STSClient.findIdentifier method to check the unattached first instead of the > attached. With that, all the "add" calls would be with the full id and not > the wsu:Id. The lookups later would be a bit quicker then as well. > > > My recommendation would be to get wss4j 1.5.6 out and then follow it up with > a > rampart release that fixes those issues. > > Dan > > > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote: >> Hi Colm, all: >> >> -1 from me, unfortunately, since running the Rampart build with the new >> WSS4J produced a test failure. In particular the testWithPolicy() test >> in RampartTest (integration module) fails. >> >> DanK believes this might have to do with the way WSS4J has corrected its >> URL handling (it was previously truncating the 1st char of all urls >> assuming that they'd be of the form "#urn..."). >> >> Could someone from rampart-dev have a look at this? >> >> Thanks, >> --Glen >> >> P.S. A huge +1, by the way, to the congratulations on all the hard work >> and interop success! >> >> Colm O hEigeartaigh wrote: >>> To the Apache Web Services Community, >>> >>> This is a call for votes for the wss4j-1.5.6 release. >>> >>> The distribution can be found at the following URL: >>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/ >>> >>> You can also point maven at the following URL to pull down the 1.5.6 >>> release POM, source, and class JARs: >>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/ >>> >>> Additionally, the generated version of the web site can be found at >>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/ >>> >>> The list of bugs fixed in this release can be seen here: >>> >>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006 >>> 3&styleName=Html&version=12313623 >>> >>> This vote will stay open for at least 72 hours. >>> >>> Here is my (non-binding and advisory) +1. >>> >>> Thanks, >>> >>> Colm. >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org >> For additional commands, e-mail: wss4j-dev-h...@ws.apache.org >
